/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
>
>This is confusing to me. A SOCKS server uses password authentication in
>order to figure out whether a particular user behind the firewall is
>*allowed* to use the SOCKS server at all. The username gets logged in
>the logs, but it does NOT get sent to anyone outside the network!
>
>IRC normally uses "ident" protocol to determine the "real user" that is
>attached to a socket connection. Since the SOCKS server runs as root
>(though it doesn't have to), the owner of any connection via SOCKS will
>appear to be "root", to the external network, unless SOCKS does some
>amazing things with setuid changes that I don't know about...
>
>Well, anyway, password authentication should still work, regardless, but
>your users have to have passwords on the firewall box.
I don't use the socks server for IRC. The security issue is this. When I
connect to them, they connect to me to make sure I have a secure proxy
running. They do this by sending a socks packet, and seeing if they get an
OK reply from the server (which in this case is my masq server). If they
get an OK packet, that means they can hide behind my socks server and do
malicious acts. I had to set up password authentication in order to make
my server "secure" according to them. The thing that strikes me as odd is
that I had it set up exactly like it said for the multi-homed setup (my
masq server is multi-homed naturally) on nec's site, and they still said I
was insecure. I even tried using the socks server from an outside
computer, and it wouldn't let me. Alas, the script on the IRC network says
it's insecure. The same result came when I used Fuzzy's config.
here is the site for more info on the security issue. It would be great if
I didn't have to use authentication, but I don't see any way around it at
the moment:
http://www.enterthegame.com/security.htm
Later,
Osman
--
|=------------------------- Osman -- Ullah -------------------------=|
Computer Science Major | "Insert a self
Georgia Institute of Technology, Atlanta, GA | defining quote
http://www.prism.gatech.edu/~gte213f | here."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
