Retrieving client port number from Pam module - linux

How do I retrieve an SSH client's port number from a PAM module?
I can get the client host from PAM_RHOST:
retval = pam_get_item(pamh, PAM_RHOST, (const void **) &rhost);
It is present in the SSHD logs, but I am not sure how to extract it.

Related

Using the Hyper-V sockets between Windows host and Linux guest

I want to write simple application that communicates between the Hyper-V host and its virtual machine using Hyper-V sockets (netcat over vsock). In the Internet there are a few documents describing how to do it: Make your own integration services, Practical Hyper-V socket communication. However, any of them helps me to achieve my goal.
First of all, I've made sure that the connection using Hyper-V sockets is possible. On the guest Linux I loaded hv_sock module and run nc-vsock application which is able to listen on vsocks:
$ sudo modprobe hv_sock
$ nc-vsock -l 1234
On Windows in PowerShell I ran hvc, which utilises Hyper-V sockets and is able to emulate netcat:
hvc nc -t vsock little-helper 1234
and it works. I can see data sent from server to client and vice versa.
Then I wrote a simple application basing on 1 and 2 with slight changes.
I registered my application with the Hyper-V Host's registry as said in 1 and I ran my application. The connection was not established and the connect function returned error 10049.
I've tried to run my application as a administrator and manipulate GUIDs in the source code and on the Hyper-V Host's registry as well. However, nothing helps and application always reports error 10049.
In my opinion in the document are some ambiguity. E.g. it's said that the service id shall be a random GUID. But later on there is a note that the first four octets translate to port in AF_VSOCK address family, and the specific GUID is presented for this purpose.
Question is rather simple: what I did wrong or misunderstood. Is it possible to write netcat utilising vsock between Windows and Linux?
Full code:
#include <iostream>
#include <winsock2.h>
#include <ws2tcpip.h>
#include <hvsocket.h>
#include <combaseapi.h>
int main()
{
struct __declspec(uuid("00000000-185c-4e04-985a-4c2eee3e03cc")) VSockTemplate {};
struct __declspec(uuid("2a9fa68e-4add-45cb-85c8-de97fc66d388")) ServerVsockTemplate {};
//----------------------
// Initialize Winsock
WSADATA wsaData;
int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (iResult != NO_ERROR) {
wprintf(L"WSAStartup function failed with error: %d\n", iResult);
return 1;
}
//----------------------
// Create a SOCKET for connecting to server
SOCKET ConnectSocket;
ConnectSocket = socket(AF_HYPERV, SOCK_STREAM, HV_PROTOCOL_RAW);
if (ConnectSocket == INVALID_SOCKET) {
wprintf(L"socket function failed with error: %ld\n", WSAGetLastError());
WSACleanup();
return 1;
}
//----------------------
// The sockaddr_in structure specifies the address family,
// IP address, and port of the server to be connected to.
SOCKADDR_HV clientService;
clientService.Family = AF_HYPERV;
clientService.VmId = __uuidof(ServerVsockTemplate);
clientService.ServiceId = __uuidof(VSockTemplate);
clientService.ServiceId.Data1 = 1234;
//----------------------
// Connect to server.
iResult = connect(ConnectSocket, (SOCKADDR*)&clientService, sizeof(clientService));
if (iResult == SOCKET_ERROR) {
wprintf(L"connect function failed with error: %ld\n", WSAGetLastError());
iResult = closesocket(ConnectSocket);
if (iResult == SOCKET_ERROR)
wprintf(L"closesocket function failed with error: %ld\n", WSAGetLastError());
WSACleanup();
return 1;
}
wprintf(L"Connected to server.\n");
iResult = closesocket(ConnectSocket);
if (iResult == SOCKET_ERROR) {
wprintf(L"closesocket function failed with error: %ld\n", WSAGetLastError());
WSACleanup();
return 1;
}
WSACleanup();
return 0;
}
For whoever is not very familiar with Hyper-V and does not want to spend 2 hours debugging, like I did, a few points:
Ensure that the hv_sock kernel module is enabled on the guest, I used Ubuntu Server 20.04, which does not have this enabled by default.
lsmod | grep hv_sock
If it's not there you need to add it and reboot:
sudo sh -c 'echo "hv_sock" > /etc/modules-load.d/hv_sock.conf'
sudo reboot
You need to register a new application with Hyper-V Host's registry, but the docs are misleading, as the random GUID is only needed with a Windows guest, for Linux guests the GUID needs to be in a very specific format, as described by HV_GUID_VSOCK_TEMPLATE, meaning <port>-facb-11e6-bd58-64006a7986d3
So for port 5001 the registry key should be 00001389-facb-11e6-bd58-64006a7986d3 (1389 is 5001 in hex)
You can do that easily from powershell as described in the Register a new application section
$service = New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\GuestCommunicationServices" -Name "00001389-facb-11e6-bd58-64006a7986d3"
$service.SetValue("ElementName", "HV Socket Demo")
You can find some simple code samples here, win_server.c for the Windows host and wsl_client.c for the Linux guest.
What is the ServerVsockTemplate GUID you have there? I'm pretty sure that's supposed to be the GUID of a running VM, e.g., (Get-VM -Name $VMName).Id, so it'd be hard to hard-code into your source. If that's the GUID you generated per 'Register a new application', that'll be the problem.
The docs aren't clear, but I have the strong suspicion that 'Register a new application' part is only for when you're listening on Windows for incoming connections from other Windows VMs, or when writing a Linux device driver that talks to a service on the host. It might also be to allow a VM to offer services to other VMs, but I would assume not.
Edit: Quick Testing VSOCK (Hyper-V) Support in X410 says you need to make the registry keys for the vsock GUIDs as well, to receive connections from the vm.
In Linux userspace, you only have access to vsock; the other services are managed by drivers under Linux.
There's a clearer explanation of the vsock workflow in the Linux source for the Hyper-V vsock implementation.
I assume it's possible to use VSock between a Windows VM and the host as well, of course.
Edit, because I actually went and tested this.
Two mistakes in the code, on top of the ServerVsockTemplate GUID needing to be the GUID of the target VM.
The VSockTemplate GUID is wrong. I don't know where that came from, but there's a constant HV_GUID_VSOCK_TEMPLATE in <hvsocket.h> anyway, which matches the one on the Microsoft Docs site: 00000000-facb-11e6-bd58-64006a7986d3
It turns out, you need to zero the Reserved member of the SOCKADDR_HV, or it'll fail. Traditionally, one would use memset to zero a new sockaddr_* structure, but in this case, we can take the easy path.
So to make this work, change the SOCKADDR_HV creation code to the following:
// The sockaddr_in structure specifies the address family,
// IP address, and port of the server to be connected to.
SOCKADDR_HV clientService;
clientService.Family = AF_HYPERV;
clientService.Reserved = 0;
clientService.VmId = __uuidof(ServerVsockTemplate);
clientService.ServiceId = HV_GUID_VSOCK_TEMPLATE;
clientService.ServiceId.Data1 = 1234;
Then you delete VSockTemplate, and make sure ServerVsockTemplate is the GUID of the VM or Micro-VM where you're running nc-vsock.
I actually tested this with the WSL2 micro-VM, for which the VM ID comes from hcsdiag list rather than Get-VM, but I was able to connect to nc-vsock inside my WSL2 session using the source here, modified as I have described.

Freeradius doesn't respond to client - ignoring request to auth address ... unknown client

So trying to setup a simple RADIUS authentication for a CISCO 2600 and freeradius -X
The message says that the client is unknown but still the client conf looks like this:
client R1{
ipaddr = 10.1.1.10
secret = secretkey
shortname = R1
nastype = cisco
}
client radnetwork{
ipaddr = 10.1.1.0
netmask = 24
secret = secretkey
shortname = radnetwork
}
client localhost {
ipaddr = 127.0.0.1
secret = secretkey
shortname = localhost
nastype = other
}
I've made sure to chmod 777 both clients.conf and users and because it did drove me crazy and at first the permissions were wrong.
Running radtest locally radtest myuser mysecret localhost 1812 gets me:
(0) No reply from server for ID 168 socket 3
and in the log:
Dropping packet without response because of error: Received packet from 127.0.0.1 without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (shared secret is incorrect.)
even as the secret ins VERY simple and it is set that way everywhere in this lab.
Thank you for helping in advance.
Your question is confusing. Your title suggests you have an unknown client, i.e. you've not provided a client definition for the client contacting the server, but the question content is about a mismatched shared secret.
I'll answer the mismatched shared secret part. It may be that figuring that out resolves your other issue.
The posted radtest command is invalid and missing the secret, which is frustrating as the secret is the subject of this question.
As a first step you should run radsniff with the -s option to specify the expected secret, and verify that the User-Password attribute it shown correctly in plaintext.
Next, ensure unprintable characters aren't being inserted into the secret in your client definitions by wrapping the secret in double quotes.
Verify that the clients.conf file you're editing is actually being read by introducing a syntax error (just add an extra right hand curly brace '}' at the end) and restarting FreeRADIUS.
Note: For all changes to the server config, you need to restart FreeRADIUS.
This is a common issue. It's never the code, it's nearly always one of the conditions above.

Telnet Port connectivity from one server to another through JSP

Hi All,
I want to create a JSP page where I will ask user to give the source host and port and also destination host and port.
Following combination of source and destination OS is possible
Unix->Unix/Windows/zOS Windows-> Unix/Windows/zOS zOS ->
Unix/Windows/zOS
With these inputs I want to connect to the source server and fire this command telnet $ip $port to the destination. If the telnet connectivity is successful it should return success and else error.
I want to create the logic non-interactive that it should not require any password to login the source for checking telnet connectivity.
Is there any such library or any mechanism available so that I could make this feasible?
Why not use Apache Commons Net?
TelnetClient telnet = new TelnetClient();
try {
telnet.connect("rainmaker.wunderground.com", 3000);
} catch(IOException e) {
// failed
} finally {
telnet.disconnect();
}

How can I know the host name on client server program

I am doing a program about client server communication using sockets. I saw examples of client server program on internet, but I have a question. How to get host name? I saw a client program example on the webpage int the link below. The program gets the host name from the user in command line arguments,but how can I know the host name? and I tried using my username on it but its says host does not found. I am running both on same machine. Thank you very much for your time.
client:
http://www.tutorialspoint.com/unix_sockets/socket_client_example.htm
server:
http://www.tutorialspoint.com/unix_sockets/socket_server_example.htm
Host name is different from the username to get the host name use the command "hostname"
and use this host name in command line
commands:
hostname -->gethostname
hostname < name > -->sethostname with name
If your client and server are on the same host, the hostname is localhost, or you could use the name of the machine, or you could use 127.0.0.1
Assuming you mean the host you are currently running on you use gethostname
int main(int argc, char *argv[])
{
int ret;
char buffer[100];
if ((ret = gethostname(buffer, sizeof(buffer))) == -1)
{
perror("gethostname");
exit(1);
}
printf("hostname is: %s\n", buffer);
return(0);
}
For a client server program , the client must know the hostname or the ip address of the machine it wants to communicate with.
Think of it like you are driving to a particular shop, you need to know the address of the shop to reach there. Similarly clients need the address of the host it needs to communicate with.
If you are running your own client and server, then type hostname in the machine and it will give you the host name. Usually you would need host name and port but in simple example programs the value may be hard coded.

vsFTPd: per-user IP filtering for vitrual users

I'm running a vsFTPd FTP server with virtual users (i.e. users are stored in Berkeley DB and do not exist at OS level). The users are authenticated via /etc/pam.d/ftp:
%PAM-1.0
auth required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
account required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
I want to implement an user-level IP filtering via tcp_wrappers, for ex.:
/etc/hosts.deny:
vsftpd: toto#10.10.10.10
(user 'toto') is a vitrual user.
However, toto can log in to the FTP server from 10.10.10.10:
Status: Connecting to 10.10.10.10:21...
Status: Connection established, waiting for welcome message...
Response: 220 "FTP server"
Command: USER toto
Response: 331 Please specify the password.
Command: PASS ********
Response: 230 Login successful.
Status: Connected
How to make vsftpd's virtual users working with tcp_wrappers? how to debug system calls to tcp_wrappers to ensure that vsftpd is passing a correct user name to tcp_wrappers?
TCP wrappers may sound promissory but won't work (long explanation) However you can achieve same level of granularity via PAM.
For instance you can locate the PAM's FTP conf file, if your vsFTPd was compiled with PAM support (ldd /usr/sbin/vsftpd | grep pam) and replace the account line to use pam access control instead.
# vi /etc/pam.d/vsftpd
account include password-auth (comment this line out)
# add the following line
account required pam_access.so
Then you can edit /etc/security/access.conf and create more complex rules to tailor your needs, i.e.
+ : restricted_username : 192.168.1.10
+ : ALL EXCEPT restricted_username : ALL
- : ALL : ALL
The above rule will allow the user 'restricted_username' to login only from that specific IP, while allowing the rest of the users log in from ALL other sources.

Resources