socks5 (danted) kann mit Benutzername nicht authentifiziert werden

2024-6-23 • tag-icon

socks5 (danted) kann mit Benutzername nicht authentifiziert werden

`socksmethod: username`Ich kann mit Dante und Methode keine Benutzernamenauthentifizierung für Socks5 einrichten .

ubuntu@ip-10-120-108-135:~$ uname -a
Linux ip-10-120-108-135 5.19.0-1025-aws #26~22.04.1-Ubuntu SMP Mon Apr 24 01:58:15 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

/etc/danted.conf

# errorlog: syslog
logoutput: syslog
user.privileged: root
user.unprivileged: nobody
debug: 1

# The listening network interface or address.
internal: 0.0.0.0 port=1080

# The proxying network interface or address.
external: ens5

# socks-rules determine what is proxied through the external interface.
# socksmethod: username
socksmethod: username

# client-rules determine who can connect to the internal interface.
clientmethod: none

client pass {
    from: 111.222.333.444/32 to: 0.0.0.0/0
    log: error connect disconnect
}

client block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

socks pass {
    from: 111.222.333.444/32 to: 0.0.0.0/0
    command: bind connect udpassociate
    protocol: tcp udp
    log: error connect disconnect iooperation
    socksmethod: username
    user: dante
}

socks block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

Der Benutzer wurde erstellt:

sudo useradd -r -s /bin/false dante
sudo usermod --password SOMEPazz dante

Versuche zu verbinden:

✗  curl -v -x socks5://dante:[email protected]:1080 ipinfo.io/ip
*   Trying 55.55.55.555:1080...
* User was rejected by the SOCKS5 server (1 1).
* Closing connection 0
curl: (97) User was rejected by the SOCKS5 server (1 1).

und in den Protokollen sehe ich Folgendes:

Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): no match for authentication: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 1, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: block(1): tcp/accept ]: 111.222.333.444.55484 10.120.108.135.1080: error after reading 29 bytes in 0 seconds: system password authentication failed for user "dante"

vollständige Protokolle:

ubuntu@ip-10-120-108-135:~$ tail -f /var/log/syslog | grep dante
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: postconfigloadinit(): I am a request-child
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: request_postconfigload()
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: addchild(): I am a new request-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: sockd_print_child_ready_message(): I'm request-child and ready to serve with 524278 free fds and 1 free slot
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: postconfigloadinit(): I am a request-child
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: request_postconfigload()
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: addchild(): I am a new request-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: sockd_print_child_ready_message(): I'm request-child and ready to serve with 524278 free fds and 1 free slot
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: main(): selectn() returned 1 (no system error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: accepted tcp client 111.222.333.444.55484 on address 0.0.0.0.1080, fd 8
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sending client 111.222.333.444.55484 to negotiate-child (pid 35039 with 96 slots free)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: send_client(): buflen = 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: childcheck(): current # of free negotiate-child slots is 95, configured minimum is 96: need to add more negotiate-children
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): type is negotiate-child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 55: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 56: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 52: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 54: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): highest fd in use at the moment: 56
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): created new negotiate-child with pid 35059, data-pipe 52 and ack-pipe 55.  Minimum rcvbuf: 24536, set: 49072 and 49072.  Minimum sndbuf: 2355456, set: 4710912 and 4710912
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: childcheck(): added child, pid 35059
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): 111.222.333.444.55484 -> 10.120.108.135.1080, clientauth N/A, srcauth notset, command accept, fd 10 from 111.222.333.444.55484, accepted on 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): trying to match against client-rule-rule #1, verdict = pass
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: addrmatch(): matching ruleaddress IPv4 address 111.222.333.444/32 against IPv4 address 111.222.333.444.55484 for protocol tcp, without alias
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: addrmatch(): matching ruleaddress IPv4 address 0.0.0.0/0 against IPv4 address 10.120.108.135.1080 for protocol tcp, without alias
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method notset is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): changing authmethod from -1 to 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): method: none, 111.222.333.444.55484 -> 10.120.108.135.1080 
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): authentication matched
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): rule matched: 1 (client-rule), verdict pass
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through options, looking for tcp socket options for fd 10 (in: 10) on the internal side
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through global array with 0 options, looking for globals matching 6 (post-establishment or any time)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through local array with 0 options, looking for locals matching 6
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: shmem_userule(): cinfo: 111.222.333.444.55484
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: shmem_userule(): shmids in client-rule #1: bw_shmid 0 ((nil)), mstats_shmid 0 ((nil)), ss_shmid 0 ((nil))
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: pass(1): tcp/accept [: 111.222.333.444.55484 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: socks_allocbuffer(): fd 10, stype = 1
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recvmsgn(): recvmsg() on fd 7 failed, received -1 bytes: Resource temporarily unavailable
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_negotiate(): recvmsg() from mother returned -1 after having received 1 new clients (0 failed/blocked clients).  errno = 11 (Resource temporarily unavailable)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): fd 10, client 111.222.333.444.55484, state->complete: 0, read so far: 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): initiating negotiation with client at 111.222.333.444.55484 which connected to us on 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): client 111.222.333.444.55484 offered 3 authentication methods: 0x0 (none), 0x1 (gssapi), 0x2 (username)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): socksmethod to use not set, selecting amongst the following 1 method: username
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): sending authentication reply: VER: 5 METHOD: 2 (username)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 2, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: calling select().  Free negc: 191, reqc: 16, ioc: 32
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: postconfigloadinit(): I am a negotiate-child
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: negotiate_postconfigload()
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: addchild(): I am a new negotiate-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: sockd_print_child_ready_message(): I'm negotiate-child and ready to serve with 524278 free fds and 96 free slots
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): fd 10, client 111.222.333.444.55484, state->complete: 0, read so far: 5
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (1) "username"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method pam.username is set in the list (1) "username"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: passworddbisunique(): returning 2
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): method: username, 111.222.333.444.55484 -> 10.120.108.135.1080 
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: passwordcheck(): name = dante, password = <cleartextpw>
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_priv(): switching privilege 1 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_priv(): switching privilege 1 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): no match for authentication: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 1, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: block(1): tcp/accept ]: 111.222.333.444.55484 10.120.108.135.1080: error after reading 29 bytes in 0 seconds: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: delete_negotiate(): forwardedtomother: 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: socks_freebuffer(): fd 10
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: main(): selectn() returned 1 (no system error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: handlechildcommand(): command 1 from negotiate-child 35039
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: handlechildcommand(): negotiate-child 35039 has freed a TCP slot, now has 96 slots free
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: calling select().  Free negc: 192, reqc: 16, ioc: 32

Antwort1

Der Grund, warum die Verbindung von Dante blockiert wird, ist, dass Sie das falsche Passwort festgelegt haben. Die Option „--password“ für usermod(8) erwartet, dass das Passwortargument das verschlüsselte Passwort ist. Zitat:

" -p, --password PASSWORD definiert ein neues Passwort für den Benutzer. PASSWORD wird verschlüsselt erwartet, wie von crypt (3) zurückgegeben. "

Aber sowohl curl als auch Dante erwarten, dass das von Ihnen eingegebene Passwort im Klartext vorliegt. Sie müssen das Passwort des Benutzers über ein Programm festlegen, das erwartet, dass das eingegebene Passwort im Klartext vorliegt, es verschlüsselt und das verschlüsselte Passwort in die Passwortdatei schreibt, z. B. passwd(1).

socksmethod: usernameIch kann mit Dante und Methode keine Benutzernamenauthentifizierung für Socks5 einrichten .

Antwort1

verwandte Informationen

`socksmethod: username`Ich kann mit Dante und Methode keine Benutzernamenauthentifizierung für Socks5 einrichten .