skip to: page content | links on this page | site navigation | footer (site information)

SS5 Official Web Site

Mailinglist | SourceForge.Net | FreshMeat.Net | FreeBSD
socks 4 protocol | socks 4A simple extension
rfc1928 | rfc1929 | rfc1961 | rfc3089
mcast-fw-traversal-01 | chap-01 | eap-00 | ext-00 | gssapi-revisions-01 | maf-01 | multiple-traversal-00 | pro-v5-04 | v6-req-00 | socks-ssl | secure user password authentication
rfc 2186
subglobal5 link | subglobal5 link | subglobal5 link | subglobal5 link | subglobal5 link | subglobal5 link | subglobal5 link
subglobal6 link | subglobal6 link | subglobal6 link | subglobal6 link | subglobal6 link | subglobal6 link | subglobal6 link
subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link | subglobal7 link
subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link | subglobal8 link

SS5 Official Web Site

Test

 

Examples


SS5 has many features, so the following examples can be useful in order to configure the socks server:



Example 1

Enable authentication using PAM for all ip address, and permit SSH access to 172.30/16 network only to users into CN=LOGON,CN=Users,DC=it directory group.

Also enable authentication cache with expire time set to 600 seconds.

set SS5_PAM_AUTH
set SS5_AUTHCACHEAGE 600

ldap_profile_ip x.y.w.z
ldap_profile_port 389
ldap_profile_base DC=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=user1,CN=Users,DC=it
ldap_profile_pass xxxxxx

auth 0.0.0.0/0 - u

permit u 0.0.0.0/0 - 172.30.0.0/16 22 - CN=LOGON,CN=Users,DC=it -



Example 2

Bind ss5 on a privileged port (lower than 1024):

ss5 -u root -b 0.0.0.0:1020



Example 3, a case study

In the following case, ss5 works with:

1. PAM authentication using pam_winbind.so
2. Directory authorization with multiple userstore (Active Directory)
3. Authentication cache enable
4. Authorization cache enable
5. Netbios domain support
6. Proxy upstream through other socks server
7. Traffic dump to file

auth 0.0.0.0/0 - u

# Enable PAM authentication
set SS5_PAM_AUTH

# Set session timeout
set SS5_STIMEOUT 3600

# Enable Cache for authentication for 600 seconds
# set SS5_AUTHCACHEAGE 600

# Enable Cache for authorization for 600 seconds
# set SS5_AUTHOCACHEAGE 600

# Enable directory authorization with filter mode
set SS5_LDAP_FILTER

# Enable netbios domain mapping with directory
( socks username in the form: domainA\user1 )
set SS5_NETBIOS_DOMAIN

# Dump traffic data to file for connections through an Oracle db server
dump 182.10.10.20/32 1521 1

# Upstream proxy for 162.10.10.0 network
proxy 162.10.10.0/24 - 10.10.10.20 1080 -

# Permit http access to user who belong to WEB group into Active Directory
#Auth SHost SPort DHost DPort Fixup Group Band
permit u 0.0.0.0/0 - 182.10.0.0/16 80 - CN=WEB,CN=Users,DC=subDomainA,DC=DomainA,DC=it -
permit u 0.0.0.0/0 - 182.10.0.0/16 80 - CN=WEB,CN=Users,DC=subDomainB,DC=DomainB,DC=it -

# Netbios domain (in case of MSdomainA\userA)
ldap_profile_ip 162.10.20.1
ldap_profile_port 389
ldap_profile_base DC=subDomainA,DC=DomainA,DC=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=userReader,cn=Users,DC=subDomainA,DC=DomainA,DC=it
ldap_profile_pass password
ldap_netbios_domain MSDomainA

# Netbios domain (in case of MSdomainB\userB)
ldap_profile_ip 162.10.30.1
ldap_profile_port 389
ldap_profile_base DC=subDomainB,DC=DomainB,DC=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=userReader,cn=Users,DC=subDomainB,DC=DomainB,DC=it
ldap_profile_pass password
ldap_netbios_domain MSdomainB



Example 4, a case study

In the following case, ss5 works with:

1. GSS authentication and message integrity check
2. Directory authorization with Active Directory using Kerberos Principal Name
3. Bandwidth profiling

auth 0.0.0.0/0 - k

# Enable verbose log
set SS5_VERBOSE

# Enable debug log
set SS5_DEBUG

# Enable directory authorization with filter mode
set SS5_LDAP_FILTER

# Set Principal Kerberos service name
set SS5_GSS_PRINC host@gssdomain.it

# Permit all traffic to users authenticated via Kerberos-GSS belong to group "Administrators" stored into Active Directory
permit k 162.10.10.0/24 - 182.10.10.0/24 - - cn=Administrators,cn=Builtin,dc=gssdomain,dc=it - -

# Limit to two, the number of concurrent connections a user belong to Kerberos GSSDOMAIN can establishes
bandwidth GSSDOMAIN-GRP 2 -

# Kerberos domain (in case of userA@GSSDOMAIN.IT)
ldap_profile_ip 162.10.20.1
ldap_profile_port 389
ldap_profile_base cn=Users,dc=gssdomain,dc=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=Administrator,cn=Users,dc=gssdomain,dc=it
ldap_profile_pass password
ldap_netbios_domain GSSDOMAIN.IT



Example 5

Authenticates using radius and does mysql profiling

set SS5_VERBOSE
set SS5_CONSOLE
set SS5_DEBUG
set SS5_SRV

set SS5_RADIUS_AUTH

radius_ip 127.0.0.1
radius_auth_port 1812
radius_acct_port 1813
radius_secret radiuspwd

# DEFAULT "SELECT uname FROM grp WHERE gname like"
mysql_profile_ip 127.0.0.1
mysql_profile_db radius
mysql_profile_user root
mysql_profile_pass password
mysql_profile_sqlstring SELECT username FROM radusergroup WHERE groupname like

auth 0.0.0.0/0 - u

permit u 192.168.1.99/32 - 0.0.0.0/0 - - grp1 - -



Example 6

Using 172.30.20.1 alias ip as source ip to reach 192.168.20.0 network

ss5.ha file cointains:

route 192.168.20.0/24 172.30.20.1 - d



Example 7

To launch multiple instances create a separate startup script with as follow:

- First instance with default options:
/usr/sbin/ss5 -t -u root

- Second instance with custom options:
export SS5_SOCKS_PORT=1081
export SS5_CONFIG_FILE=/tmp/ss5.conf
export SS5_PASSWORD_FILE=/tmp/ss5.passwd
export SS5_LOG_FILE=/tmp/ss5.log
export SS5_PROFILE_PATH=/tmp

#/usr/sbin/ss5 -t -u root
#
[INFO] found environment SS5_PROFILE_PATH: /tmp
[INFO] found environment SS5_LOG_FILE: /tmp/ss5.log
[INFO] found environment SS5_SOCKS_PORT: 1081
[INFO] found environment SS5_CONFIG_FILE: /tmp/ss5.conf
[INFO] found environment SS5_PASSWORD_FILE: /tmp/ss5.passwd



Example 8

To setup different configurations of upstream proxy see the following: Version 5 with authentication

- upstream ss5.conf

auth 0.0.0.0/0 - u
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

- downstream ss5.conf

proxy 0.0.0.0/0 - 192.168.1.101 1081 -
auth 0.0.0.0/0 - u
permit u 0.0.0.0/0 - 0.0.0.0/0 - - - - -

Version 5 without authentication

- upstream ss5.conf

auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

- downstream ss5.conf

proxy 0.0.0.0/0 - 192.168.1.101 1081 -
auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

Version 5 to 4

- upstream ss5.conf

auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

- downstream ss5.conf

proxy 0.0.0.0/0 - 192.168.1.101 1081 4
auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

Version 5 to 4 with downstream authentication

- upstream ss5.conf

auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

- downstream ss5.conf

proxy 0.0.0.0/0 - 192.168.1.101 1081 4
auth 0.0.0.0/0 - u
permit u 0.0.0.0/0 - 0.0.0.0/0 - - - - -

Version 4

- upstream ss5.conf

auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

- downstream ss5.conf

proxy 0.0.0.0/0 - 192.168.1.101 1081 -
auth 0.0.0.0/0 - u
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

 

About Me | Site Map | Contact Me | © 2002 - 2009 Matteo Ricchetti