Template Version: @(#)onepager.txt 1.35 07/11/07 SMI Copyright 2007 Sun Microsystems 1. Introduction 1.1. Project/Component Working Name: Dante: A Socks server and client implementation 1.2. Name of Document Author/Supplier: Mayuresh Nirhali 1.3. Date of This Document: 08/26/2008 1.3.1. Date this project was conceived: N/A 1.4. Name of Major Document Customer(s)/Consumer(s): 1.4.1. The PAC or CPT you expect to review your project: Solaris 1.4.2. The ARC(s) you expect to review your project: PSARC 1.4.3. The Director/VP who is "Sponsoring" this project: Chris.Armes@Sun.COM 1.4.4. The name of your business unit: Solaris - RPE 1.5. Email Aliases: 1.5.1. Responsible Manager: Lukas.Rovensky@Sun.COM 1.5.2. Responsible Engineer: Mayuresh.Nirhali@Sun.COM 1.5.3. Marketing Manager: 1.5.4. Interest List: sfwnv-discuss@opensolaris.org 2. Project Summary 2.1. Project Description: Dante is a circuit-level firewall/proxy that can be used to provide convenient and secure network connectivity to a wide range of hosts while requiring only the server. Dante runs on to have external network connectivity. 2.2. Risks and Assumptions: Dante is a third party Socks server and client implementation. The current version (1.1.19) is stable and it was released in January 2006. Since then, there has been no releases of this product. Any bugs found for this product will be redirected to the owners. Considering that there seems to be no active development on this product since 2006, the bugs/issues may take longer to resolve. 2.3. SMF Dante SOCKS server will be managed as a SMF service. The Dante server would run with Least Privilege specified through the SMF manifest. It would not need to have any of the SUID/SGID bits in the file system to be set nor would the daemon itself need an RBAC entry, because SMF 'start' method would set the privileges and UID/GID as necessary for normal operation. SMF service for Dante SOCKS server will be added under network category as network/socks. The package will add the manifest file and the SMF method as below, /var/svc/manifest/network/socks.xml /lib/svc/method/socks Method credentials for dante SMF service will be "root" user and "root" group. See Section 4.11 (Security Impact) for more details. The SMF service for Dante will be disabled by default. Dante socks server reads the confirguration file when started. The configuration file requires certain parameters to be specified for the server to run (e.g. the address/interface and port for all the incoming requests). Since there cannot be any plausible default value to such parameters, the config file still needs to be used although it is not a recommended practice for SMF. The socks server will go into maintenance mode if configuration file is not updated with valid values to the necessary parameters. Hence, to enable dante server, first, the /etc/sockd.conf should be populated with valid information and then, the service should be enabled. 3. Business Summary 3.1. Problem Area: Dante provides convinient and secure network connectivity from behind a firewall using Socks protocol. Dante is a free implementation of the proxy protocols socks version 4, socks version 5 (rfc1928) and msproxy. It can be used as a firewall between networks. 3.2. Market/Requester: OpenSolaris Community 3.3. Business Justification: Integration of Dante will allow the Solaris host to act as a Socks server. Dante's client implementation allows users to connect outside their secured network in a user friendly manner. Such socks client-server implementation has been missing from Solaris. Currently, in order to have socks server/client functionality on Solaris, the users need to compile-install dante (or similar implementation) on their own. The seamless integration of Dante with other Solaris features (such as SMF) will provide better out-of-the-box usability. 3.4. Competitive Analysis: Most of the other Unix based Operating systems support Dante. The competitors in this regard are really the Operating Systems that include such functionality today. 3.5. Opportunity Window/Exposure: The third party product is ready to be integrated. 3.6. How will you know when you are done?: The product is ready to be integrated. 4. Technical Description: 4.1. Details: http://www.inet.no/dante/ Dante is a circuit-level firewall/proxy that can be used to provide convenient and secure network connectivity to a wide range of hosts while requiring only the server Dante runs on to have external network connectivity. Once installed, Dante can in most cases be made transparent to the clients while offering detailed access control and logging facilities to the server administrator. 4.2. Bug/RFE Number(s): 6661961 4.3. In Scope: 4.4. Out of Scope: 4.5. Interfaces: This integration will not modify or delete any interfaces. It will add one binary for the server (/usr/sbin/sockd) and another script for the client (/usr/bin/socksify). In addition, this package will also add 2 shared libraries as below, /usr/lib/libdsocks.so /usr/lib/libsocks.so The /usr/bin/socksify script will load the dynamic libraries mentioned above to "socksify" existing applications to become socks clients. For the server, /etc/sockd.conf will be used as a configuration file, and for the client, /etc/socks.conf will be used for configuration. This package will not import any interfaces, the exported interfaces can be summarized in the following manner, +----------------------------------------------------------------------------+ | | Interface Name | Classification | Comments | |----------------------------------------------------------------------------| | 1 | libdsocks.so | Project Private | SOCKS daemon library | | |---------------------+--------------------------------------------------| | 2 | libsocks.so | Committed | SOCKS library | | |---------------------+--------------------------------------------------| | 3 | socksify | Uncommitted | SOCKS client script | | |---------------------+--------------------------------------------------| | 4 | sockd | Uncommitted | SOCKS server daemon | | |---------------------+--------------------------------------------------| | 5 | socks.conf | Uncommitted | Client configuration file | | |---------------------+--------------------------------------------------| | 6 | sockd.conf | Uncommitted | Server configuration file | | |---------------------+--------------------------------------------------| | 7 | SUNWlibsocks | Public/Committed | Client package | | |---------------------+--------------------------------------------------| | 8 | SUNWdanteu | Public/Committed | Server package (User) | | |---------------------+--------------------------------------------------| | 9 | SUNWdanter | Public/Committed | Server package (Root) | | |---------------------+--------------------------------------------------| |10 | network/socks | Public/Committed | SMF Service name | | |---------------------+--------------------------------------------------| |11 | sockd | Uncommitted | PAM Servicename | +----------------------------------------------------------------------------+ 4.6. Doc Impact: This integration will correctly add man entries. None of the existing man entries will be touched. The new man entries are as below, /usr/man/man1m/sockd.1m /usr/man/man1/socksify.1 /usr/man/man4/sockd.conf.4 /usr/man/man4/socks.conf.4 4.7. Admin/Config Impact: The package will also provide template of configuration files for both server and client. The templates for these configureation files are attached. /etc/sockd.conf /etc/socks.conf 4.8. HA Impact: N/A 4.9. I18N/L10N Impact: None. The error messages are not localized. 4.10. Packaging & Delivery: Both server and client will be installed with following packages. SUNWlibsocks Dante - A Socks client implementation SUNWdanter Dante - A Socks server implementation, Root SUNWdanteu Dante - A Socks server implementation, User 4.11. Security Impact: Socks Server and client will depend on the port configured in the respective configuration file for network connectivity. The server configuration file defines two variables as, user.privileged and user.notprivileged. These 2 variables can have a list of userids separated by comma. The server implementation calls seteuid function to switch between privileged and notprivileged users. Upon start, the server switches the effective id from the user who started the binary to the specified user.notprivileged. Later, for all the privileged operations (e.g. PAM authentication), the server sets the effective user ID from user.notprivileged to specified user.privileged by calling seteuid function. The behavior as described above is not a recommended practice with Solaris. Instead of switching between user IDs for privileged and non-privileged operations, Solaris recommends to acquire and release specific privileges for such privileged actions which provide better and fine grained control. However, the dante server implementation does not use the privilege mechanism and depends on the 2 users defined in the configuration file. The default/sample configuration file will have user.notprivileged as 'daemon' and the user.privileged will be set to 'root'. The reason why user.privileged need to be root is because pam_authenticate(3pam) requires all privileges and user ID as 0. By default, Dante server will use port 1080, the port can be configured in /etc/sockd.conf file. Please note that if a reserved port is configured then the dante server will bind to it successfully, as the user.privileged is set to 'root'. 4.11.1 PAM Authentication Dante server confirms to the PAM policy specified for the User Identification and Authentication. During authentication, the server makes calls to following functions in order, pam_start() pam_set_item() pam_authenticate() pam_acct_mgmt() pam_end() Please note that before starting the pam authentication, dante server calls seteuid() to switch to the specified privileged user. In Solaris, PAM requires all privileges and user ID 0 and hence it is necessary that user.privileged should be set to 'root' in the /etc/sockd.conf file. 4.12. Dependencies: The socks server mainly depends on the available support for PAM. The details of dependencies are as below, bash-3.00# ldd libsocks.so libpam.so.1 => /lib/libpam.so.1 libsocket.so.1 => /lib/libsocket.so.1 libnsl.so.1 => /lib/libnsl.so.1 libresolv.so.2 => /lib/libresolv.so.2 libc.so.1 => /lib/libc.so.1 libmp.so.2 => /lib/libmp.so.2 libmd.so.1 => /lib/libmd.so.1 libscf.so.1 => /lib/libscf.so.1 libuutil.so.1 => /lib/libuutil.so.1 libgen.so.1 => /lib/libgen.so.1 libm.so.2 => /lib/libm.so.2 The output of ldd command for libdsocks.so shows exactly the same output as above. bash-3.00# ldd /usr/sbin/sockd libwrap.so.1 => /usr/lib/libwrap.so.1 libpam.so.1 => /lib/libpam.so.1 libsocket.so.1 => /lib/libsocket.so.1 libnsl.so.1 => /lib/libnsl.so.1 libresolv.so.2 => /lib/libresolv.so.2 libc.so.1 => /lib/libc.so.1 libmp.so.2 => /lib/libmp.so.2 libmd.so.1 => /lib/libmd.so.1 libscf.so.1 => /lib/libscf.so.1 libuutil.so.1 => /lib/libuutil.so.1 libgen.so.1 => /lib/libgen.so.1 libm.so.2 => /lib/libm.so.2 The SMF service for Dante server does not depend on any other specific service. 5. Reference Documents: http://www.inet.no/dante/ 6. Resources and Schedule: 6.1. Projected Availability: Integration targeted for Indiana release. 6.2. Cost of Effort: Minimum. One resource for integration in SFW consolidation. 6.3. Cost of Capital Resources: None 6.4. Product Approval Committee requested information: 6.4.1. Consolidation or Component Name: SFW 6.4.3. Type of CPT Review and Approval expected: FASTTRACK 6.4.4. Project Boundary Conditions: None 6.4.5. Is this a necessary project for OEM agreements: No 6.4.6. Notes: 6.4.7. Target RTI Date/Release: Indiana Release 6.4.8. Target Code Design Review Date: 6.4.9. Update approval addition: 6.5. ARC review type: FastTrack 6.6. ARC Exposure: OPEN 6.6.1. Rationale: 7. Prototype Availability: 7.1. Prototype Availability: N/A 7.2. Prototype Cost: N/A