Hi'
We have a Gauntlet Firewall, across which we are
permitting certain ssh connections. We would like to also do
that for SSLtelnet and SSLftp in order to have as much
encrypted traffic as possible. We are however facing a bit
of a problem with SSLftp. SSLtelnet seems to work like a
charm.
The problem arises when connection from a host inside of
the firewall to a host outside of the firewall. On the
outside of the firewall we have a macine with the following
lines in /etc/inetd.conf.
ftp stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/ftpd -l -z
secure
telnet stream tcp nowait root /usr/sbin/tcpd
/usr/local/sbin/telnetd -l -z secure
We thus insist on having the encryption as the -z secure
option implies. I should mention, that everything works
perfectly, when two hosts from the outside or two hosts from
the inside connect to each other. It is only, when the
connection has to cross the firewall, that problems
arise. Now, lets connect from the inside to the outside with
SSLtelnet and SSLftp. We set up a visitor account on the
outside machine and tries to establish a connection.
SSLtelnet : No problems.
SSLftp : I get the following session.
ftp somehost
Connected to somehost
220 somehost FTP server (SSLftp 0.10) ready.
Name (somehost:visitor): visitor
551 Userid nonexistent
SSL not available
504 SSL is mandatory.
Login failed.
ftp> bye
221 Goodbye.
In connection with that I get the following in the syslog
of the firewall.
Sep 29 08:49:30 5D:firewall netacl-ftpd[23205]: permit
host=????????.??.??.??/??.???.???.??? service=netacl-ftpd dest=???.???.???.??? port=21
execute=/usr/etc/ftp-gw
Sep 29 08:49:30 5D:firewall ftp-gw[23205]: permit
host=????????.??.??.??/??.???.???.??? connect to ???.???.???.???
Sep 29 08:49:35 5D:firewall authsrv[23206]: BADAUTH SSL (ftp-gw
????????.??.??.??/??.???.???.???)
Sep 29 08:49:38 5D:firewall ftp-gw[23205]: exit host=????????.??.??.??/??.???.???.???
cmds=3 in=0 out=0 user=unauth duration=8
I guess, that the most interesting part is the BADAUTH
SSL line, which is of course not present in my telnet
sessions. This SSLftp apparently does require something,
which SSLtelnet does not, but what could that be. I have not
been able to track down the problem so far. Maybe one of you
have an idea. In that case, I would very much appreciate any
reply.
Thanks in advance.
Best Regards.
Thomas.
----------------------------------------------------------------------
Cand. Scient. Thomas Lorenzen Phone : (+ 45) 35 32 02 50
Department of Chemistry Fax : (+ 45) 35 32 02 59
University of Copenhagen Mail : [EMAIL PROTECTED]
DK, 2100 Copenhagen, Denmark Homepage : http://theochem.ki.ku.dk/~tl
----------------------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
