X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:message-id:from:to:cc:subject :content-type:date; q=dns; s=default; b=EBVWszgrGkdFR803mJZJhkc4 dLGoFf3tUM3FhhUvqQYa5VE043fam0L4amSRB7uXJtUqH86Mv8NSv/sEbX6iLWsj 8yujQ4RyJDON8a1+CYGXQS7/gqLLCb86RPiyYufYO0ruQMuULjAg7o74Sr1qRGmD BU/Ul9ds3qzoAbRUBzM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:message-id:from:to:cc:subject :content-type:date; s=default; bh=uLBcT1o4CP4YPMGKJimr+1ubtX0=; b= Lwu7OHZtfajoJa7IsoRAaSzI5G3EYoT33waBuZlqTUIaZ9NIZOiYnsmmq/6KcrrJ bR7ukj2QCEQGTpapDfyGzlvUh76LYHciQE93WEDAoLAu8gwCYlZXumMe1nVS4GUr huI5p/oxrBYr98jP+WIfG6ee1VvXJXW5WpsMyc3K96I= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: mout.web.de MIME-Version: 1.0 Message-ID: From: devzero AT web DOT de To: cygwin AT cygwin DOT com Cc: schulman DOT andrew AT epamail DOT epa DOT gov Subject: Problem with stunnel/rsync & tcp_wrappers under cygwin Content-Type: text/plain; charset=UTF-8 Date: Wed, 26 Feb 2014 00:43:27 +0100 Sensitivity: Normal Hi, i have a strange problem with tcp_wrappers in conjunction with stunnel cygwin port. (cc`ing stunnel cygwin maintainer because of that). I`m trying to secure an rsync which is started in daemon-mode in an inetd-style via stunnel. I`m on Win8 64Bit with a recent 64bit Cygwin installation. When i put rsync: ALL in "/etc/hosts.allow" all is fine, but when i try to restrict connection to a single IP-Adress it doesn`t work. I spent some time on this but i don`t get this working. See the log snippets below this mail. successful connection looks like this: 2014.02.23 12:36:22 LOG7[16424:25770120176]: Released libwrap process #0 2014.02.23 12:36:22 LOG7[16424:25770120176]: Service [rsync] permitted by libwrap from 192.168.0.116:60222 2014.02.23 12:36:22 LOG5[16424:25770120176]: Service [rsync] accepted connection from 192.168.0.116:60222 unsuccessful connection looks like this: 2014.02.23 12:34:34 LOG7[17800:25770120176]: Released libwrap process #0 2014.02.23 12:34:34 LOG4[17800:25770120176]: Service [rsync] REFUSED by libwrap from 192.168.0.116:60221 2014.02.23 12:34:34 LOG7[17800:25770120176]: See hosts_access(5) manual for details Afaik, tcpwrappers only checks for IP-address , not source port - correct ? I`m curious about IP:PORT in the logs. I`m no programmer, but if i get this right, the "accepted_address" is being passed to libwrap to be checked for authentication and libwrap tells if connection is permitted or not. So, i`m curious why "accepted_address" seems to contain IP:PORT where it should possibly only contain "IP". from the stunnel sources: client.c ---snipp--- /* authenticate based on retrieved IP address of the client */ accepted_address=s_ntop(&c->peer_addr, c->peer_addr_len); #ifdef USE_LIBWRAP libwrap_auth(c, accepted_address); #endif /* USE_LIBWRAP */ auth_user(c, accepted_address); s_log(LOG_NOTICE, "Service [%s] accepted connection from %s", c->opt->servname, accepted_address); str_free(accepted_address); } ---snipp--- libwrap.c ---snipp--- #endif /* USE_PTHREAD */ { /* use original, synchronous libwrap calls */ enter_critical_section(CRIT_LIBWRAP); result=check(c->opt->servname, c->local_rfd.fd); leave_critical_section(CRIT_LIBWRAP); } if(!result) { s_log(LOG_WARNING, "Service [%s] REFUSED by libwrap from %s", c->opt->servname, accepted_address); s_log(LOG_DEBUG, "See hosts_access(5) manual for details"); longjmp(c->err, 1); } s_log(LOG_DEBUG, "Service [%s] permitted by libwrap from %s", c->opt->servname, accepted_address); } ---snipp--- Bug ? I`m out of ideas otherwise... regards Roland stunnel.exe info: 2014.02.23 12:36:16 LOG7[16424:25769803872]: Clients allowed=125 2014.02.23 12:36:16 LOG5[16424:25769803872]: stunnel 4.56 on x86_64-unknown-cygwin platform 2014.02.23 12:36:16 LOG5[16424:25769803872]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 2014.02.23 12:36:16 LOG5[16424:25769803872]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP Auth:LIBWRAP 2014.02.23 12:36:16 LOG5[16424:25769803872]: Reading configuration from file /etc/stunnel/stunnel.conf This one works: $ cat /etc/hosts.allow rsync: ALL stunnel log: 2014.02.23 12:36:22 LOG7[16424:25770120176]: Acquired libwrap process #0 2014.02.23 12:36:22 LOG7[16424:25770120176]: Releasing libwrap process #0 2014.02.23 12:36:22 LOG7[16424:25770120176]: Released libwrap process #0 2014.02.23 12:36:22 LOG7[16424:25770120176]: Service [rsync] permitted by libwrap from 192.168.0.116:60222 2014.02.23 12:36:22 LOG5[16424:25770120176]: Service [rsync] accepted connection from 192.168.0.116:60222 2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): before/accept initialization 2014.02.23 12:36:22 LOG7[16424:25770120176]: SNI: no virtual services defined 2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): SSLv3 read client hello A 2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): SSLv3 write server hello A 2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): SSLv3 write certificate A 2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): SSLv3 write key exchange A 2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): SSLv3 write certificate request A All of the following ones do NOT work $ cat /etc/hosts.allow rsync: 192.168.0.116 2014.02.23 11:48:01 LOG5[17800:25769803872]: Configuration successful 2014.02.23 11:48:01 LOG7[17800:25769803872]: Service [rsync] (FD=11) bound to 0.0.0.0:1873 2014.02.23 11:48:01 LOG7[17800:25769803872]: Created pid file /var/run/stunnel.pid 2014.02.23 12:34:34 LOG7[17800:25769803872]: Service [rsync] accepted (FD=3) from 192.168.0.116:60221 2014.02.23 12:34:34 LOG7[17800:25770120176]: Service [rsync] started 2014.02.23 12:34:34 LOG7[17800:25770120176]: Waiting for a libwrap process 2014.02.23 12:34:34 LOG7[17800:25770120176]: Acquired libwrap process #0 2014.02.23 12:34:34 LOG7[17800:25770120176]: Releasing libwrap process #0 2014.02.23 12:34:34 LOG7[17800:25770120176]: Released libwrap process #0 2014.02.23 12:34:34 LOG4[17800:25770120176]: Service [rsync] REFUSED by libwrap from 192.168.0.116:60221 2014.02.23 12:34:34 LOG7[17800:25770120176]: See hosts_access(5) manual for details 2014.02.23 12:34:34 LOG5[17800:25770120176]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2014.02.23 12:34:34 LOG7[17800:25770120176]: Local socket (FD=3) closed 2014.02.23 12:34:34 LOG7[17800:25770120176]: Service [rsync] finished (0 left) 2014.02.23 12:34:34 LOG7[17800:25770120176]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s) 2014.02.23 12:36:15 LOG7[17800:25769803872]: Dispatching signals from the signal pipe $ cat /etc/hosts.allow rsync: 192.168.0.116 : allow 2014.02.23 12:44:36 LOG7[5248:25770120176]: Waiting for a libwrap process 2014.02.23 12:44:36 LOG7[5248:25770120176]: Acquired libwrap process #0 2014.02.23 12:44:36 LOG7[5248:25770120176]: Releasing libwrap process #0 2014.02.23 12:44:36 LOG7[5248:25770120176]: Released libwrap process #0 2014.02.23 12:44:36 LOG4[5248:25770120176]: Service [rsync] REFUSED by libwrap from 192.168.0.116:60223 2014.02.23 12:44:36 LOG7[5248:25770120176]: See hosts_access(5) manual for details 2014.02.23 12:44:36 LOG5[5248:25770120176]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2014.02.23 12:44:36 LOG7[5248:25770120176]: Local socket (FD=3) closed 2014.02.23 12:44:36 LOG7[5248:25770120176]: Service [rsync] finished (0 left) 2014.02.23 12:44:36 LOG7[5248:25770120176]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s) $ cat /etc/hosts.allow rsync: 192.168.0.116/32 : allow 2014.02.23 12:46:02 LOG7[10392:25770120176]: Service [rsync] started 2014.02.23 12:46:02 LOG7[10392:25770120176]: Waiting for a libwrap process 2014.02.23 12:46:02 LOG7[10392:25770120176]: Acquired libwrap process #0 2014.02.23 12:46:02 LOG7[10392:25770120176]: Releasing libwrap process #0 2014.02.23 12:46:02 LOG7[10392:25770120176]: Released libwrap process #0 2014.02.23 12:46:02 LOG4[10392:25770120176]: Service [rsync] REFUSED by libwrap from 192.168.0.116:60224 2014.02.23 12:46:02 LOG7[10392:25770120176]: See hosts_access(5) manual for details 2014.02.23 12:46:02 LOG5[10392:25770120176]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2014.02.23 12:46:02 LOG7[10392:25770120176]: Local socket (FD=3) closed 2014.02.23 12:46:02 LOG7[10392:25770120176]: Service [rsync] finished (0 left) 2014.02.23 12:46:02 LOG7[10392:25770120176]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s) $ cat /etc/stunnel/stunnel.conf client = no foreground = yes #setuid = root #setgid = root # pid = /var/run/stunnel.pid debug = 7 output = /var/log/stunnel.log socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 socket = l:SO_LINGER=1:60 [rsync] accept = 1873 cert = /etc/stunnel/stunnel.pem client = no verify = 0 libwrap = yes exec = /usr/bin/rsync execargs = rsync --daemon --config /etc/rsync-ssl/rsync-ssl.conf -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple