no se puede autenticar calcetines5 (danted) con el nombre de usuario

no se puede autenticar calcetines5 (danted) con el nombre de usuario

No puedo configurar la autenticación de nombre de usuario para calcetines5 usando dante y socksmethod: usernameel método.

ubuntu@ip-10-120-108-135:~$ uname -a
Linux ip-10-120-108-135 5.19.0-1025-aws #26~22.04.1-Ubuntu SMP Mon Apr 24 01:58:15 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

/etc/danted.conf

# errorlog: syslog
logoutput: syslog
user.privileged: root
user.unprivileged: nobody
debug: 1

# The listening network interface or address.
internal: 0.0.0.0 port=1080

# The proxying network interface or address.
external: ens5

# socks-rules determine what is proxied through the external interface.
# socksmethod: username
socksmethod: username

# client-rules determine who can connect to the internal interface.
clientmethod: none

client pass {
    from: 111.222.333.444/32 to: 0.0.0.0/0
    log: error connect disconnect
}

client block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

socks pass {
    from: 111.222.333.444/32 to: 0.0.0.0/0
    command: bind connect udpassociate
    protocol: tcp udp
    log: error connect disconnect iooperation
    socksmethod: username
    user: dante
}

socks block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

creó el usuario:

sudo useradd -r -s /bin/false dante
sudo usermod --password SOMEPazz dante

intentando conectar:

✗  curl -v -x socks5://dante:[email protected]:1080 ipinfo.io/ip
*   Trying 55.55.55.555:1080...
* User was rejected by the SOCKS5 server (1 1).
* Closing connection 0
curl: (97) User was rejected by the SOCKS5 server (1 1).

y en los registros veo esto:

Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): no match for authentication: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 1, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: block(1): tcp/accept ]: 111.222.333.444.55484 10.120.108.135.1080: error after reading 29 bytes in 0 seconds: system password authentication failed for user "dante"

registros completos:

ubuntu@ip-10-120-108-135:~$ tail -f /var/log/syslog | grep dante
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: postconfigloadinit(): I am a request-child
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: request_postconfigload()
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: addchild(): I am a new request-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: sockd_print_child_ready_message(): I'm request-child and ready to serve with 524278 free fds and 1 free slot
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: postconfigloadinit(): I am a request-child
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: request_postconfigload()
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: addchild(): I am a new request-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: sockd_print_child_ready_message(): I'm request-child and ready to serve with 524278 free fds and 1 free slot
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: main(): selectn() returned 1 (no system error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: accepted tcp client 111.222.333.444.55484 on address 0.0.0.0.1080, fd 8
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sending client 111.222.333.444.55484 to negotiate-child (pid 35039 with 96 slots free)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: send_client(): buflen = 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: childcheck(): current # of free negotiate-child slots is 95, configured minimum is 96: need to add more negotiate-children
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): type is negotiate-child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 55: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 56: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 52: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 54: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): highest fd in use at the moment: 56
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): created new negotiate-child with pid 35059, data-pipe 52 and ack-pipe 55.  Minimum rcvbuf: 24536, set: 49072 and 49072.  Minimum sndbuf: 2355456, set: 4710912 and 4710912
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: childcheck(): added child, pid 35059
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): 111.222.333.444.55484 -> 10.120.108.135.1080, clientauth N/A, srcauth notset, command accept, fd 10 from 111.222.333.444.55484, accepted on 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): trying to match against client-rule-rule #1, verdict = pass
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: addrmatch(): matching ruleaddress IPv4 address 111.222.333.444/32 against IPv4 address 111.222.333.444.55484 for protocol tcp, without alias
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: addrmatch(): matching ruleaddress IPv4 address 0.0.0.0/0 against IPv4 address 10.120.108.135.1080 for protocol tcp, without alias
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method notset is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): changing authmethod from -1 to 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): method: none, 111.222.333.444.55484 -> 10.120.108.135.1080 
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): authentication matched
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): rule matched: 1 (client-rule), verdict pass
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through options, looking for tcp socket options for fd 10 (in: 10) on the internal side
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through global array with 0 options, looking for globals matching 6 (post-establishment or any time)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through local array with 0 options, looking for locals matching 6
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: shmem_userule(): cinfo: 111.222.333.444.55484
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: shmem_userule(): shmids in client-rule #1: bw_shmid 0 ((nil)), mstats_shmid 0 ((nil)), ss_shmid 0 ((nil))
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: pass(1): tcp/accept [: 111.222.333.444.55484 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: socks_allocbuffer(): fd 10, stype = 1
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recvmsgn(): recvmsg() on fd 7 failed, received -1 bytes: Resource temporarily unavailable
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_negotiate(): recvmsg() from mother returned -1 after having received 1 new clients (0 failed/blocked clients).  errno = 11 (Resource temporarily unavailable)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): fd 10, client 111.222.333.444.55484, state->complete: 0, read so far: 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): initiating negotiation with client at 111.222.333.444.55484 which connected to us on 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): client 111.222.333.444.55484 offered 3 authentication methods: 0x0 (none), 0x1 (gssapi), 0x2 (username)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): socksmethod to use not set, selecting amongst the following 1 method: username
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): sending authentication reply: VER: 5 METHOD: 2 (username)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 2, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: calling select().  Free negc: 191, reqc: 16, ioc: 32
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: postconfigloadinit(): I am a negotiate-child
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: negotiate_postconfigload()
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: addchild(): I am a new negotiate-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: sockd_print_child_ready_message(): I'm negotiate-child and ready to serve with 524278 free fds and 96 free slots
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): fd 10, client 111.222.333.444.55484, state->complete: 0, read so far: 5
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (1) "username"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method pam.username is set in the list (1) "username"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: passworddbisunique(): returning 2
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): method: username, 111.222.333.444.55484 -> 10.120.108.135.1080 
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: passwordcheck(): name = dante, password = <cleartextpw>
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_priv(): switching privilege 1 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_priv(): switching privilege 1 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): no match for authentication: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 1, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: block(1): tcp/accept ]: 111.222.333.444.55484 10.120.108.135.1080: error after reading 29 bytes in 0 seconds: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: delete_negotiate(): forwardedtomother: 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: socks_freebuffer(): fd 10
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: main(): selectn() returned 1 (no system error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: handlechildcommand(): command 1 from negotiate-child 35039
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: handlechildcommand(): negotiate-child 35039 has freed a TCP slot, now has 96 slots free
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: calling select().  Free negc: 192, reqc: 16, ioc: 32


Respuesta1

La razón por la que Dante bloquea la conexión es porque has establecido una contraseña incorrecta. La opción "--password" de usermod(8) espera que el argumento de contraseña sea la contraseña cifrada. Citar:

" -p, --password PASSWORD define una nueva contraseña para el usuario. Se espera que PASSWORD esté cifrada, como lo devuelve crypt (3). "

Pero tanto curl como Dante esperan que la contraseña que proporcione sea la contraseña de texto sin cifrar. Debe configurar la contraseña del usuario a través de algún programa que espera que la entrada de la contraseña sea texto sin cifrar, la cifra y escribe la contraseña cifrada en el archivo de contraseña, por ejemplo, passwd(1).

información relacionada