не удалось аутентифицировать socks5 (danted) с именем пользователя

не удалось аутентифицировать socks5 (danted) с именем пользователя

Я не могу настроить аутентификацию по имени пользователя для socks5 с помощью dante и socksmethod: usernameметода.

ubuntu@ip-10-120-108-135:~$ uname -a
Linux ip-10-120-108-135 5.19.0-1025-aws #26~22.04.1-Ubuntu SMP Mon Apr 24 01:58:15 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

/etc/danted.conf

# errorlog: syslog
logoutput: syslog
user.privileged: root
user.unprivileged: nobody
debug: 1

# The listening network interface or address.
internal: 0.0.0.0 port=1080

# The proxying network interface or address.
external: ens5

# socks-rules determine what is proxied through the external interface.
# socksmethod: username
socksmethod: username

# client-rules determine who can connect to the internal interface.
clientmethod: none

client pass {
    from: 111.222.333.444/32 to: 0.0.0.0/0
    log: error connect disconnect
}

client block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

socks pass {
    from: 111.222.333.444/32 to: 0.0.0.0/0
    command: bind connect udpassociate
    protocol: tcp udp
    log: error connect disconnect iooperation
    socksmethod: username
    user: dante
}

socks block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

создал пользователя:

sudo useradd -r -s /bin/false dante
sudo usermod --password SOMEPazz dante

пытаюсь подключиться:

✗  curl -v -x socks5://dante:[email protected]:1080 ipinfo.io/ip
*   Trying 55.55.55.555:1080...
* User was rejected by the SOCKS5 server (1 1).
* Closing connection 0
curl: (97) User was rejected by the SOCKS5 server (1 1).

и в логах я вижу это:

Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): no match for authentication: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 1, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: block(1): tcp/accept ]: 111.222.333.444.55484 10.120.108.135.1080: error after reading 29 bytes in 0 seconds: system password authentication failed for user "dante"

полные логи:

ubuntu@ip-10-120-108-135:~$ tail -f /var/log/syslog | grep dante
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: postconfigloadinit(): I am a request-child
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: request_postconfigload()
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: addchild(): I am a new request-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:15 ip-10-120-108-135 danted[35054]: debug: sockd_print_child_ready_message(): I'm request-child and ready to serve with 524278 free fds and 1 free slot
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: postconfigloadinit(): I am a request-child
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: request_postconfigload()
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: addchild(): I am a new request-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:15 ip-10-120-108-135 danted[35055]: debug: sockd_print_child_ready_message(): I'm request-child and ready to serve with 524278 free fds and 1 free slot
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: main(): selectn() returned 1 (no system error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: accepted tcp client 111.222.333.444.55484 on address 0.0.0.0.1080, fd 8
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sending client 111.222.333.444.55484 to negotiate-child (pid 35039 with 96 slots free)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: send_client(): buflen = 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: childcheck(): current # of free negotiate-child slots is 95, configured minimum is 96: need to add more negotiate-children
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): type is negotiate-child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 55: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 56: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 52: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: setnonblocking(): fd 54: pipe between moter and child
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_priv(): switching privilege 6 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): highest fd in use at the moment: 56
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: addchild(): created new negotiate-child with pid 35059, data-pipe 52 and ack-pipe 55.  Minimum rcvbuf: 24536, set: 49072 and 49072.  Minimum sndbuf: 2355456, set: 4710912 and 4710912
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: childcheck(): added child, pid 35059
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): 111.222.333.444.55484 -> 10.120.108.135.1080, clientauth N/A, srcauth notset, command accept, fd 10 from 111.222.333.444.55484, accepted on 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): trying to match against client-rule-rule #1, verdict = pass
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: addrmatch(): matching ruleaddress IPv4 address 111.222.333.444/32 against IPv4 address 111.222.333.444.55484 for protocol tcp, without alias
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: addrmatch(): matching ruleaddress IPv4 address 0.0.0.0/0 against IPv4 address 10.120.108.135.1080 for protocol tcp, without alias
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method notset is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): changing authmethod from -1 to 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): method: none, 111.222.333.444.55484 -> 10.120.108.135.1080 
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method none is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): authentication matched
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: rulespermit(): rule matched: 1 (client-rule), verdict pass
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through options, looking for tcp socket options for fd 10 (in: 10) on the internal side
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through global array with 0 options, looking for globals matching 6 (post-establishment or any time)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: setconfsockoptions(): going through local array with 0 options, looking for locals matching 6
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: shmem_userule(): cinfo: 111.222.333.444.55484
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: shmem_userule(): shmids in client-rule #1: bw_shmid 0 ((nil)), mstats_shmid 0 ((nil)), ss_shmid 0 ((nil))
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: pass(1): tcp/accept [: 111.222.333.444.55484 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: socks_allocbuffer(): fd 10, stype = 1
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recvmsgn(): recvmsg() on fd 7 failed, received -1 bytes: Resource temporarily unavailable
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_negotiate(): recvmsg() from mother returned -1 after having received 1 new clients (0 failed/blocked clients).  errno = 11 (Resource temporarily unavailable)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): fd 10, client 111.222.333.444.55484, state->complete: 0, read so far: 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): initiating negotiation with client at 111.222.333.444.55484 which connected to us on 10.120.108.135.1080
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): client 111.222.333.444.55484 offered 3 authentication methods: 0x0 (none), 0x1 (gssapi), 0x2 (username)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): socksmethod to use not set, selecting amongst the following 1 method: username
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_methods(): sending authentication reply: VER: 5 METHOD: 2 (username)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 2, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: calling select().  Free negc: 191, reqc: 16, ioc: 32
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: postconfigloadinit(): I am a negotiate-child
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: sockd_setcpusettings(): old cpu scheduling policy/priority: other/0, new: other/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: negotiate_postconfigload()
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: addchild(): I am a new negotiate-child with data-pipe 7 and ack-pipe 8
Sep 10 19:31:19 ip-10-120-108-135 danted[35059]: debug: sockd_print_child_ready_message(): I'm negotiate-child and ready to serve with 524278 free fds and 96 free slots
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: recv_clientrequest(): fd 10, client 111.222.333.444.55484, state->complete: 0, read so far: 5
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (1) "username"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method pam.username is set in the list (1) "username"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: passworddbisunique(): returning 2
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): method: username, 111.222.333.444.55484 -> 10.120.108.135.1080 
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (1) "none"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: methodisset(): checking if method username is set in the list (0) ""
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: passwordcheck(): name = dante, password = <cleartextpw>
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_priv(): switching privilege 1 on
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_setugid(): old uid/gid: 65534/65534, new: 0/0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_priv(): switching privilege 1 off
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: sockd_setugid(): old uid/gid: 0/0, new: 65534/65534
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: accesscheck(): no match for authentication: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: run_negotiate(): recv_clientrequest() from client 111.222.333.444.55484 returned 1, errno is 0 (no error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: info: block(1): tcp/accept ]: 111.222.333.444.55484 10.120.108.135.1080: error after reading 29 bytes in 0 seconds: system password authentication failed for user "dante"
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: delete_negotiate(): forwardedtomother: 0
Sep 10 19:31:19 ip-10-120-108-135 danted[35039]: debug: socks_freebuffer(): fd 10
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: main(): selectn() returned 1 (no system error)
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: handlechildcommand(): command 1 from negotiate-child 35039
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: handlechildcommand(): negotiate-child 35039 has freed a TCP slot, now has 96 slots free
Sep 10 19:31:19 ip-10-120-108-135 danted[35036]: debug: calling select().  Free negc: 192, reqc: 16, ioc: 32


решение1

Причина, по которой соединение блокируется Dante, заключается в том, что вы установили неправильный пароль. Параметр "--password" для usermod(8) ожидает, что аргумент пароля будет зашифрованным паролем. Цитата:

" -p, --password ПАРОЛЬ определяет новый пароль для пользователя. Ожидается, что ПАРОЛЬ будет зашифрован, как возвращает crypt (3). "

Но и curl, и Dante ожидают, что предоставленный вами пароль будет открытым текстом. Вам нужно задать пароль пользователя с помощью какой-то программы, которая ожидает, что вводимый пароль будет открытым текстом, шифрует его и записывает зашифрованный пароль в файл паролей, например, passwd(1).

Связанный контент