April 25, 2018 at 12:11Using libpam to configure SOCKS Dante server
- Tutorial
Good day to all. Faced with the need to configure SOCKS5, I found that on the Internet and in particular on Habr, the username method is used when setting up authorization for dante-server .
This method is by no means safe. This has been written more than once ( for example ) and many comparisons have been made with 3proxy which uses a separate password file for authorization. Who is interested in implementing this feature in Dante, I ask for cat.
I will not describe the installation and basic setup, these articles are huge and in general there is nothing complicated in them. I will only mention the topic of a separate password file. All commands will be given for Ubuntu, however, doing the same on other distributions is also not difficult.
It is necessary to make a reservation that the dante for this functionality must be compiled with PAM support, in the installation articles this is reflected in the following line in the source configuration status:
If you install the package from the repository, then PAM is already in its dependencies.
So, for starters, we need additional components:
The libpam-pwdfile package provides the ability to authenticate against a separate file in / etc / passwd format.
After installation, edit the file /etc/pam.d/sockd
In the file, enter the following:
Here we set the password file for our service. Replace $ {DIR_FOR_PASSWD_FILE} with the directory where you will have the password file (for example / opt / dante).
The password file itself has the file format / etc / passwd, which means a separate line for each user in the form of parameters separated by a colon. The first parameter is the username, the second is the encrypted password.
Encrypted passwords can be obtained using the mkpasswd utility from the whois package as follows:
After we have prepared everything, it remains only to enable the appropriate authorization method in Dante. To do this, edit your /etc/sockd.conf file and change the next line
to this
We preload Dante and get authorization for a separate password file.
PS
The service PAM name used by Dante by default is sockd. Also, if you want to use the libpam_pwdfile configuration file from another configured service, or to use several configurations, you can use the pamservicename directive in the Dante configuration file. Usage example:
For a more complete understanding of the use of this directive, I recommend referring to the Dante documentation, the link to which is given below.
Materials Used:
Dante Documentation. PAM Autentication
Description of the libpam-pwdfile module on GitHub
This method is by no means safe. This has been written more than once ( for example ) and many comparisons have been made with 3proxy which uses a separate password file for authorization. Who is interested in implementing this feature in Dante, I ask for cat.
I will not describe the installation and basic setup, these articles are huge and in general there is nothing complicated in them. I will only mention the topic of a separate password file. All commands will be given for Ubuntu, however, doing the same on other distributions is also not difficult.
It is necessary to make a reservation that the dante for this functionality must be compiled with PAM support, in the installation articles this is reflected in the following line in the source configuration status:
PAM: EnabledIf you install the package from the repository, then PAM is already in its dependencies.
So, for starters, we need additional components:
aptitude install libpam-pwdfileThe libpam-pwdfile package provides the ability to authenticate against a separate file in / etc / passwd format.
After installation, edit the file /etc/pam.d/sockd
nano /etc/pam.d/sockdIn the file, enter the following:
auth required pam_pwdfile.so pwdfile ${DIR_FOR_PASSWD_FILE}/sockd.passwd
account required pam_permit.so
Here we set the password file for our service. Replace $ {DIR_FOR_PASSWD_FILE} with the directory where you will have the password file (for example / opt / dante).
The password file itself has the file format / etc / passwd, which means a separate line for each user in the form of parameters separated by a colon. The first parameter is the username, the second is the encrypted password.
SomeUser:$1$1bhzkYnM$cfYSzS9Vx17AypWYAnnhn0Encrypted passwords can be obtained using the mkpasswd utility from the whois package as follows:
mkpasswd --method=md5 SomeStrongPasswordAfter we have prepared everything, it remains only to enable the appropriate authorization method in Dante. To do this, edit your /etc/sockd.conf file and change the next line
socksmethod: usernameto this
socksmethod: pam.usernameWe preload Dante and get authorization for a separate password file.
PS
The service PAM name used by Dante by default is sockd. Also, if you want to use the libpam_pwdfile configuration file from another configured service, or to use several configurations, you can use the pamservicename directive in the Dante configuration file. Usage example:
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
#the servicename should differ from the servicename in socks-rules
pamservicename: pam_host
}
For a more complete understanding of the use of this directive, I recommend referring to the Dante documentation, the link to which is given below.
Materials Used:
Dante Documentation. PAM Autentication
Description of the libpam-pwdfile module on GitHub
Only registered users can participate in the survey. Please come in.
Do you use Dante?
- 67.7% yes 86
- 18.8% no 24
- 13.3% now I will be 17