From owner-freebsd-current  Mon Mar  6 16:35:13 2000
Delivered-To: freebsd-current@freebsd.org
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
	by hub.freebsd.org (Postfix) with ESMTP id 3367937B9C1
	for <current@FreeBSD.ORG>; Mon,  6 Mar 2000 16:35:11 -0800 (PST)
	(envelope-from ambrisko@whistle.com)
Received: from whistle.com (crab.whistle.com [207.76.205.112])
	by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id QAA14147;
	Mon, 6 Mar 2000 16:30:37 -0800 (PST)
Received: (from ambrisko@localhost)
	by whistle.com (8.9.3/8.9.1) id QAA75449;
	Mon, 6 Mar 2000 16:30:06 -0800 (PST)
	(envelope-from ambrisko)
From: Doug Ambrisko <ambrisko@whistle.com>
Message-Id: <200003070030.QAA75449@whistle.com>
Subject: Re: /usr/bin/ssh and SOCKS
In-Reply-To: <Pine.GSO.4.05.10003061134200.27621-100000@shell1> from "James E.
 Pace" at "Mar 6, 2000 11:37:18 am"
To: "James E. Pace" <jepace@pobox.com>
Date: Mon, 6 Mar 2000 16:30:06 -0800 (PST)
Cc: current@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL61 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

James E. Pace writes:
| 
| I rebuilt -current on Friday, and OpenSSH does not work through a
| SOCKS firewall.
| 
| In my make.conf, I have "USE_SOCKS= YES", which is used in the
| ports/security/ssh port.

As mentioned we have ssh in the base system so your are picking that up.
Another alternative is to remove the setuid bits /usr/bin/ssh and
then do a "runsocks ssh".  LP_PRELOAD in FreeBSD does not work on 
setuid binaries.  This is a security feature.  Solaris let's you do
a LD_PRELOAD on setuid binaries if the library is from /usr/lib.  So 
on Solaris if the libsocks_sh.so was in /usr/lib then LD_PRELOAD of 
it would work on setuid binaries like ssh and it would just work
without recompiling/linking.

However, now that Dante is available and has BSD licensing we could
include it in the base OS.  Yes it is bloat, but then people could 
sysinstall behind a Socks firewall and things like ssh etc could be
linked to it.  There are things I like and don't like with Dante but
it is a pretty good package and has a better license.

I could do the work if deemed usefull.  I don't want to maintain
my own branch and we use the Nec implementation here so I don't 
want to be bouncing between them for no good reason.

Doug A.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message