.gear/rules | 3 + .../tags/a0925ea74cea919a5bc6ccb1b81b5897983ea7ae | 20 + .gear/tags/list | 1 + .gear/upstream/remotes | 3 + ocserv-pamd.conf | 5 + ocserv.conf | 610 +++++++++++++++++++++ ocserv.init | 103 ++++ ocserv.spec | 183 +++++++ src/worker-privs.c | 4 + tests/data/haproxy-auth.cfg | 4 +- 10 files changed, 934 insertions(+), 2 deletions(-) diff --git a/.gear/rules b/.gear/rules new file mode 100644 index 00000000..2cce167b --- /dev/null +++ b/.gear/rules @@ -0,0 +1,3 @@ +tar: @version@:. +diff: @version@:. . + diff --git a/.gear/tags/a0925ea74cea919a5bc6ccb1b81b5897983ea7ae b/.gear/tags/a0925ea74cea919a5bc6ccb1b81b5897983ea7ae new file mode 100644 index 00000000..5c363b9a --- /dev/null +++ b/.gear/tags/a0925ea74cea919a5bc6ccb1b81b5897983ea7ae @@ -0,0 +1,20 @@ +object 895a23f372fd2ef7f29c8ccd635e33b32de0915f +type commit +tag 1.2.1 +tagger Nikos Mavrogiannopoulos 1692709837 +0200 + +released 1.2.1 +-----BEGIN PGP SIGNATURE----- + +iQHWBAABCAA8FiEEH0JBiQXYIGqnVMzcKe5YuZaGUXEFAmTks9EeHG4ubWF2cm9n +aWFubm9wb3Vsb3NAZ21haWwuY29tAAoJECnuWLmWhlFxtDIMH16uVZbf2SRvpbob +pgKT4YmMyHzc0ToPLcviSHkPoynWIIYT9Ye04gvn6uOFSt1D9pJhw+mP+1v4qKX3 +4PQpmppZ5Njeh3XRZPPv8b7J5Nw5YmwOxplIG/5uZKNQTnBJl3w+KDpbwO1gOO7Q +V62fMGFG+MfIjBHRMZme6dJl1dl0PKD7SSrpQW8e1SDuys1YPJCRy3uFI8nROwBR +ELXmcZoWEbo2C535tSoquzBUBH46r/GmBNUpIt9BntALJb6p2rdgxeW5dMfC3Z84 +Y2uNCqQWHOd7olKQLHNNDW7UO3LdWFa5fv0Xjd3TlOb79GnPIUFf/KT1E0aeTqzM +S04q/Iirz+TVTdCkBNJKtimDdzMKfIfCoqiu0tXhDIWhtIpLgvZb2j5+5cpRttJY +HUQbtdhTvsHp9X6a7ctOrOhSX34BTIvNbbceJNjKQwsbrG+/FkOXXBPPEtAjm4pa +5aPCtvo5YK/JBmCfdEJ10vUqrf7JJ6YxVH8f8EAOonEiJg405iN+FJI= +=nO4G +-----END PGP SIGNATURE----- diff --git a/.gear/tags/list b/.gear/tags/list new file mode 100644 index 00000000..d61adf9c --- /dev/null +++ b/.gear/tags/list @@ -0,0 +1 @@ +a0925ea74cea919a5bc6ccb1b81b5897983ea7ae 1.2.1 diff --git a/.gear/upstream/remotes b/.gear/upstream/remotes new file mode 100644 index 00000000..56cacf9d --- /dev/null +++ b/.gear/upstream/remotes @@ -0,0 +1,3 @@ +[remote "upstream"] + url = https://gitlab.com/openconnect/ocserv.git + fetch = +refs/heads/*:refs/remotes/upstream/* diff --git a/ocserv-pamd.conf b/ocserv-pamd.conf new file mode 100644 index 00000000..15944256 --- /dev/null +++ b/ocserv-pamd.conf @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account required pam_nologin.so +account include system-auth +session include system-auth diff --git a/ocserv.conf b/ocserv.conf new file mode 100644 index 00000000..02a51238 --- /dev/null +++ b/ocserv.conf @@ -0,0 +1,610 @@ +### The following directives do not change with server reload. +# +# User authentication method. To require multiple methods to be +# used for the user to login, add multiple auth directives. The values +# in the 'auth' directive are AND composed (if multiple all must +# succeed). +# Available options: certificate, plain, pam, radius, gssapi. +# Note that authentication methods utilizing passwords cannot be +# combined (e.g., the plain, pam or radius methods). +# +# certificate: +# This indicates that all connecting users must present a certificate. +# The username and user group will be then extracted from it (see +# cert-user-oid and cert-group-oid). The certificate to be accepted +# it must be signed by the CA certificate as specified in 'ca-cert' and +# it must not be listed in the CRL, as specified by the 'crl' option. +# +# pam[gid-min=1000]: +# This enabled PAM authentication of the user. The gid-min option is used +# by auto-select-group option, in order to select the minimum valid group ID. +# +# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] +# The plain option requires specifying a password file which contains +# entries of the following format. +# "username:groupname1,groupname2:encoded-password" +# One entry must be listed per line, and 'ocpasswd' should be used +# to generate password entries. The 'otp' suboption allows to specify +# an oath password file to be used for one time passwords; the format of +# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile +# +# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]: +# The radius option requires specifying freeradius-client configuration +# file. If the groupconfig option is set, then config-per-user will be overriden, +# and all configuration will be read from radius. The 'override-interim-updates' if set to +# true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered. +# +# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] +# The gssapi option allows to use authentication methods supported by GSSAPI, +# such as Kerberos tickets with ocserv. It should be best used as an alternative +# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with +# tickets and without tickets to login. The default value for require-local-user-map +# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented +# to have been issued within the provided number of seconds. That option is used to +# restrict logins even if the KDC provides long time TGT tickets. + +#auth = "pam" +auth = "pam[gid-min=500]" +#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" +#auth = "certificate" +#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" + +# Specify alternative authentication methods that are sufficient +# for authentication. That is, if set, any of the methods enabled +# will be sufficient to login, irrespective of the main 'auth' entries. +# When multiple options are present, they are OR composed (any of them +# succeeding allows login). +#enable-auth = "certificate" +#enable-auth = "gssapi" +#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" + +# Accounting methods available: +# radius: can be combined with any authentication method, it provides +# radius accounting to available users (see also stats-report-time). +# +# pam: can be combined with any authentication method, it provides +# a validation of the connecting user's name using PAM. It is +# superfluous to use this method when authentication is already +# PAM. +# +# Only one accounting method can be specified. +#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" + +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# When the server has a dynamic DNS address (that may change), +# should set that to true to ask the client to resolve again on +# reconnects. +#listen-host-is-dyndns = true + +# TCP and UDP port number +tcp-port = 443 +udp-port = 443 + +# Accept connections using a socket file. It accepts HTTP +# connections (i.e., without SSL/TLS unlike its TCP counterpart), +# and uses it as the primary channel. That option cannot be +# combined with certificate authentication. +#listen-clear-file = /var/run/ocserv-conn.socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = ocserv +run-as-group = ocserv + +# socket file used for IPC with occtl. You only need to set that, +# if you use more than a single servers. +#occtl-socket-file = /run/occtl.socket + +# socket file used for server IPC (worker-main), will be appended with .PID +# It must be accessible within the chroot environment (if any), so it is best +# specified relatively to the chroot directory. +socket-file = ocserv.sock + +# The default server directory. Does not require any devices present. +chroot-dir = /var/lib/ocserv + + +### All configuration options below this line are reloaded on a SIGHUP. +### The options above, will remain unchanged. Note however, that the +### server-cert, server-key, dh-params and ca-cert options will be reloaded +### if the provided file changes, on server reload. That allows certificate +### rotation, but requires the server key to remain the same for seamless +### operation. If the server key changes on reload, there may be connection +### failures during the reloading time. + + +# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of +# system calls allowed to a worker process, in order to reduce damage from a +# bug in the worker process. It is available on Linux systems at a performance cost. +# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). +# Note however, that process isolation is restricted to the specific libc versions +# the isolation was tested at. If you get random failures on worker processes, try +# disabling that option and report the failures you, along with system and debugging +# information at: https://gitlab.com/ocserv/ocserv/issues +isolate-workers = true + +# A banner to be displayed on clients +#banner = "Welcome" + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 16 + +# Limit the number of identical clients (i.e., users connecting +# multiple times). Unset or set to zero for unlimited. +max-same-clients = 2 + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Stats report time. The number of seconds after which each +# worker process will report its usage statistics (number of +# bytes transferred etc). This is useful when accounting like +# radius is in use. +#stats-report-time = 360 + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds. +# Note that when the client is behind a NAT this value +# needs to be short enough to prevent the NAT disassociating +# his UDP session from the port number. Otherwise the client +# could have his UDP connection stalled, for several minutes. +dpd = 90 + +# Dead peer detection for mobile clients. That needs to +# be higher to prevent such clients being awaken too +# often by the DPD messages, and save battery. +# The mobile clients are distinguished from the header +# 'X-AnyConnect-Identifier-DeviceType'. +mobile-dpd = 1800 + +# If using DTLS, and no UDP traffic is received for this +# many seconds, attempt to send future traffic over the TCP +# connection instead, in an attempt to wake up the client +# in the case that there is a NAT and the UDP translation +# was deleted. If this is unset, do not attempt to use this +# recovery mechanism. +switch-to-tcp-timeout = 25 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# The server-cert file may contain a single certificate, or +# a sorted certificate chain. +# +# There may be multiple server-cert and server-key directives, +# but each key should correspond to the preceding certificate. +# The certificate files will be reloaded when changed allowing for in-place +# certificate renewal (they are checked and reloaded periodically; +# a SIGHUP signal to main server will force reload). + +server-cert = /etc/pki/ocserv/public/server.crt +server-key = /etc/pki/ocserv/private/server.key + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11, TPM or encrypted keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only, and is the +# storage root key. +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The password or PIN needed to unlock the key in server-key file. +# Only needed if the file is encrypted or a PKCS #11 object. This +# is an alternative method to pin-file. +#key-pin = 1234 + +# The SRK PIN for TPM. +# This is an alternative method to srk-pin-file. +#srk-pin = 1234 + +# The Certificate Authority that will be used to verify +# client certificates (public keys) if certificate authentication +# is set. +ca-cert = /etc/pki/ocserv/cacerts/ca.crt + +# The object identifier that will be used to read the user ID in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the +# client certificate. The object identifier should be part of the certificate's +# DN. Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# The revocation list of the certificates issued by the 'ca-cert' above. +# See the manual to generate an empty CRL initially. The CRL will be reloaded +# periodically when ocserv detects a change in the file. To force a reload use +# SIGHUP. +#crl = /path/to/crl.pem + +# Uncomment this to enable compression negotiation (LZS, LZ4). +#compression = true + +# Set the minimum size under which a packet will not be compressed. +# That is to allow low-latency for VoIP packets. The default size +# is 256 bytes. Modify it if the clients typically use compression +# as well of VoIP with codecs that exceed the default value. +#no-compress-limit = 256 + +# GnuTLS priority string; note that SSL 3.0 is disabled by default +# as there are no openconnect (and possibly anyconnect clients) using +# that protocol. The string below does not enforce perfect forward +# secrecy, in order to be compatible with legacy clients. +# +# Note that the most performant ciphersuites are the moment are the ones +# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and +# in addition require no padding, thus taking full advantage of the MTU. +# For that to be taken advantage of, the openconnect client must be +# used, and the server must be compiled against GnuTLS 3.2.7 or later. +# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance +# difference with AES_128_CBC_SHA1 (the default for anyconnect clients) +# in your system. + +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" + +# More combinations in priority strings are available, check +# http://gnutls.org/manual/html_node/Priority-Strings.html +# E.g., the string below enforces perfect forward secrecy (PFS) +# on the main channel. +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" + +# That option requires the established DTLS channel to use the same +# cipher as the primary TLS channel. This cannot be combined with +# listen-clear-file since the ciphersuite information is not available +# in that configuration. Note also, that this option implies that +# dtls-legacy option is false; this option cannot be enforced +# in the legacy/compat protocol. +#match-tls-dtls-ciphers = true + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 240 + +# The time (in seconds) that a client is allowed to stay idle (no traffic) +# before being disconnected. Unset to disable. +#idle-timeout = 1200 + +# The time (in seconds) that a client is allowed to stay connected +# Unset to disable. +#session-timeout = 86400 + +# The time (in seconds) that a mobile client is allowed to stay idle (no +# traffic) before being disconnected. Unset to disable. +#mobile-idle-timeout = 2400 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +min-reauth-time = 300 + +# Banning clients in ocserv works with a point system. IP addresses +# that get a score over that configured number are banned for +# min-reauth-time seconds. By default a wrong password attempt is 10 points, +# a KKDCP POST is 1 point, and a connection is 1 point. Note that +# due to difference processes being involved the count of points +# will not be real-time precise. +# +# Score banning cannot be reliably used when receiving proxied connections +# locally from an HTTP server (i.e., when listen-clear-file is used). +# +# Set to zero to disable. +max-ban-score = 50 + +# The time (in seconds) that all score kept for a client is reset. +ban-reset-time = 300 + +# In case you'd like to change the default points. +#ban-points-wrong-password = 10 +#ban-points-connection = 1 +#ban-points-kkdcp = 1 + +# Cookie timeout (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. That cookie will be invalided if not +# used within this timeout value. On a user disconnection, that +# cookie will also be active for this time amount prior to be +# invalid. That should allow a reasonable amount of time for roaming +# between different networks. +cookie-timeout = 300 + +# If this is enabled (not recommended) the cookies will stay +# valid even after a user manually disconnects, and until they +# expire. This may improve roaming with some broken clients. +#persistent-cookies = true + +# Whether roaming is allowed, i.e., if true a cookie is +# restricted to a single IP address and cannot be re-used +# from a different IP. +deny-roaming = false + +# ReKey time (in seconds) +# ocserv will ask the client to refresh keys periodically once +# this amount of seconds is elapsed. Set to zero to disable (note +# that, some clients fail if rekey is disabled). +rekey-time = 172800 + +# ReKey method +# Valid options: ssl, new-tunnel +# ssl: Will perform an efficient rehandshake on the channel allowing +# a seamless connection during rekey. +# new-tunnel: Will instruct the client to discard and re-establish the channel. +# Use this option only if the connecting clients have issues with the ssl +# option. +rekey-method = ssl + +# Script to call when a client connects and obtains an IP. +# The following parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_REAL_LOCAL (the local +# interface IP the client connected), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 +# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and +# ID (a unique numeric ID); REASON may be "connect" or "disconnect". +# In addition the following variables OCSERV_ROUTES (the applied routes for this +# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), +# will contain a space separated list of routes or DNS servers. A version +# of these variables with the 4 or 6 suffix will contain only the IPv4 or +# IPv6 values. + +# The disconnect script will receive the additional values: STATS_BYTES_IN, +# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes +# output from the tun device, and the duration of the session in seconds. + +#connect-script = /usr/bin/ocserv-script +#disconnect-script = /usr/bin/ocserv-script + +# UTMP +# Register the connected clients to utmp. This will allow viewing +# the connected clients using the command 'who'. +#use-utmp = true + +# Whether to enable support for the occtl tool (i.e., either through D-BUS, +# or via a unix socket). +use-occtl = true + +# PID file. It can be overriden in the command line. +pid-file = /run/ocserv.pid + +# Set the protocol-defined priority (SO_PRIORITY) for packets to +# be sent. That is a number from 0 to 6 with 0 being the lowest +# priority. Alternatively this can be used to set the IP Type- +# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). +# This can be set per user/group or globally. +#net-priority = 3 + +# Set the VPN worker process into a specific cgroup. This is Linux +# specific and can be set per user/group or globally. +#cgroup = "cpuset,cpu:test" + +# +# Network settings +# + +# The name to use for the tun device +device = vpns + +# Whether the generated IPs will be predictable, i.e., IP stays the +# same for the same user when possible. +predictable-ips = true + +# The default domain to be advertised +default-domain = example.com + +# The pool of addresses that leases will be given from. If the leases +# are given via Radius, or via the explicit-ip? per-user config option then +# these network values should contain a network with at least a single +# address that will remain under the full control of ocserv (that is +# to be able to assign the local part of the tun device address). +#ipv4-network = 192.168.1.0 +#ipv4-netmask = 255.255.255.0 + +# An alternative way of specifying the network: +#ipv4-network = 192.168.1.0/24 + +# The IPv6 subnet that leases will be given from. +#ipv6-network = fda9:4efe:7e3b:03ea::/64 + +# Specify the size of the network to provide to clients. It is +# generally recommended to provide clients with a /64 network in +# IPv6, but any subnet may be specified. To provide clients only +# with a single IP use the prefix 128. +#ipv6-subnet-prefix = 128 +#ipv6-subnet-prefix = 64 + +# Whether to tunnel all DNS queries via the VPN. This is the default +# when a default route is set. +#tunnel-all-dns = true + +# The advertized DNS server. Use multiple lines for +# multiple servers. +# dns = fc00::4be0 +#dns = 192.168.1.2 + +# The NBNS server (if any) +#nbns = 192.168.1.3 + +# The domains over which the provided DNS should be used. Use +# multiple lines for multiple domains. +#split-dns = example.com + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +# Only set to true, if there can be occupied addresses in the +# IP range for leases. +ping-leases = false + +# Use this option to enforce an MTU value to the incoming +# connections. Unset to use the default MTU of the TUN device. +#mtu = 1420 + +# Unset to enable bandwidth restrictions (in bytes/sec). The +# setting here is global, but can also be set per user or per group. +#rx-data-per-sec = 40000 +#tx-data-per-sec = 40000 + +# The number of packets (of MTU size) that are available in +# the output buffer. The default is low to improve latency. +# Setting it higher will improve throughput. +#output-buffer = 10 + +# Routes to be forwarded to the client. If you need the +# client to forward routes to the server, you may use the +# config-per-user/group or even connect and disconnect scripts. +# +# To set the server as the default gateway for the client just +# comment out all routes from the server, or use the special keyword +# 'default'. + +#route = 10.10.10.0/255.255.255.0 +#route = 192.168.0.0/255.255.0.0 +#route = fef4:db8:1000:1001::/64 + +# Subsets of the routes above that will not be routed by +# the server. + +#no-route = 192.168.5.0/255.255.255.0 + +# If set, the script /usr/bin/ocserv-fw will be called to restrict +# the user to its allowed routes and prevent him from accessing +# any other routes. In case of defaultroute, the no-routes are restricted. +# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw +# --removeall. This option can be set globally or in the per-user configuration. +#restrict-user-to-routes = true + +# When set to true, all client's iroutes are made visible to all +# connecting clients except for the ones offering them. This option +# only makes sense if config-per-user is set. +#expose-iroutes = true + +# Groups that a client is allowed to select from. +# A client may belong in multiple groups, and in certain use-cases +# it is needed to switch between them. For these cases the client can +# select prior to authentication. Add multiple entries for multiple groups. +# The group may be followed by a user-friendly name in brackets. +#select-group = group1 +#select-group = group2[My special group] + +# The name of the (virtual) group that if selected it would assign the user +# to its default group. +#default-select-group = DEFAULT + +# Instead of specifying manually all the allowed groups, you may instruct +# ocserv to scan all available groups and include the full list. +#auto-select-group = true + +# Configuration files that will be applied per user connection or +# per group. Each file name on these directories must match the username +# or the groupname. +# The options allowed in the configuration files are dns, nbns, +# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route, +# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, +# user-profile, cgroup, stats-report-time, and session-timeout. +# +# Note that the 'iroute' option allows to add routes on the server +# based on a user or group. The syntax depends on the input accepted +# by the commands route-add-cmd and route-del-cmd (see below). The no-udp +# is a boolean option (e.g., no-udp = true), and will prevent a UDP session +# for that specific user or group. + +#config-per-user = /etc/ocserv/config-per-user/ +#config-per-group = /etc/ocserv/config-per-group/ + +# When config-per-xxx is specified and there is no group or user that +# matches, then utilize the following configuration. +#default-user-config = /etc/ocserv/defaults/user.conf +#default-group-config = /etc/ocserv/defaults/group.conf + +# The system command to use to setup a route. %{R} will be replaced with the +# route/mask and %{D} with the (tun) device. +# +# The following example is from linux systems. %R should be something +# like 192.168.2.0/24 (the argument of iroute). + +#route-add-cmd = "ip route add %{R} dev %{D}" +#route-del-cmd = "ip route delete %{R} dev %{D}" + +# This option allows to forward a proxy. The special keywords '%{U}' +# and '%{G}', if present will be replaced by the username and group name. +#proxy-url = http://example.com/ +#proxy-url = http://example.com/%{U}/ + +# This option allows you to specify a URL location where a client can +# post using MS-KKDCP, and the message will be forwarded to the provided +# KDC server. That is a translation URL between HTTP and Kerberos. +# In MIT kerberos you'll need to add in realms: +# EXAMPLE.COM = { +# kdc = https://ocserv.example.com/kerberos +# http_anchors = FILE:/etc/ocserv-ca.pem +# } +# This option is available if ocserv is compiled with GSSAPI support. + +#kkdcp = SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT +#kkdcp = /kerberos EXAMPLE.COM udp@127.0.0.1:88 +#kkdcp = /kerberos-tcp EXAMPLE.COM tcp@127.0.0.1:88 + +# +# The following options are for (experimental) AnyConnect client +# compatibility. + +# This option will enable the pre-draft-DTLS version of DTLS, and +# will not require clients to present their certificate on every TLS +# connection. It must be set to true to support legacy CISCO clients +# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true. +cisco-client-compat = true + +# This option allows to disable the DTLS-PSK negotiation (enabled by default). +# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate +# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the +# DTLS channel to negotiate its ciphers and the DTLS protocol version. +#dtls-psk = false + +# This option allows to disable the legacy DTLS negotiation (enabled by default, +# but that may change in the future). +# The legacy DTLS uses a pre-draft version of the DTLS protocol and was +# from AnyConnect protocol. It has several limitations, that are addressed +# by the dtls-psk protocol supported by openconnect 7.08+. +dtls-legacy = true + +# Client profile xml. A sample file exists in doc/profile.xml. +# It is required by some of the CISCO clients. +# This file must be accessible from inside the worker's chroot. +user-profile = profile.xml + +#Advanced options + +# Option to allow sending arbitrary custom headers to the client after +# authentication and prior to VPN tunnel establishment. You shouldn't +# need to use this option normally; if you do and you think that +# this may help others, please send your settings and reason to +# the openconnect mailing list. The special keywords '%{U}' +# and '%{G}', if present will be replaced by the username and group name. +#custom-header = "X-My-Header: hi there" + diff --git a/ocserv.init b/ocserv.init new file mode 100644 index 00000000..23b435e7 --- /dev/null +++ b/ocserv.init @@ -0,0 +1,103 @@ +#!/bin/sh +# +# ocserv OpenConnect SSL VPN server +# +# +# chkconfig: - 24 76 +# description: OpenConnect SSL VPN server +# processname: ocserv +# config: /etc/ocserv/ocserv.conf +# pidfile: /var/run/ocserv.pid + +### BEGIN INIT INFO +# Provides: ocserv +# Required-Start: $network +# Required-Stop: $network +# Short-Description: start and stop ocserv +# Description: ocserv is a VPN server +### END INIT INFO + +WITHOUT_RC_COMPAT=1 + +# Source function library. +. /etc/init.d/functions + +# Source networking configuration. +SourceIfNotEmpty /etc/sysconfig/network + +PIDFILE=/var/run/ocserv.pid +LOCKFILE=/var/lock/subsys/ocserv +GENKEY=/usr/sbin/ocserv-genkey +RETVAL=0 + + +start() +{ + is_yes "$NETWORKING" || return 0 + modprobe -q tun >/dev/null 2>&1 + if [ -x "$GENKEY" ]; then + action "Generate SSL certificate" "$GENKEY" + fi + start_daemon --pidfile "$PIDFILE" --lockfile "$LOCKFILE" --expect-user root -- ocserv --pid-file "$PIDFILE" --config /etc/ocserv/ocserv.conf + RETVAL=$? + return $RETVAL +} + +stop() { + stop_daemon --pidfile "$PIDFILE" --lockfile "$LOCKFILE" --expect-user root -- ocserv + RETVAL=$? + return $RETVAL +} + +restart() +{ + stop + start +} + +reload() +{ + msg_reloading multipathd + stop_daemon --pidfile "$PIDFILE" --expect-user root -HUP -- ocserv + RETVAL=$? + return $RETVAL +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + reload) + reload + ;; + restart) + restart + ;; + condstop) + if [ -e "$LOCKFILE" ]; then + stop + fi + ;; + condrestart) + if [ -e "$LOCKFILE" ]; then + restart + fi + ;; + condreload) + if [ -e "$LOCKFILE" ]; then + reload + fi + ;; + status) + occtl show status + ;; + *) + msg_usage "${0##*/} {start|stop|reload|restart|condstop|condrestart|condreload|status}" + RETVAL=1 +esac + +exit $RETVAL diff --git a/ocserv.spec b/ocserv.spec new file mode 100644 index 00000000..2b2168c2 --- /dev/null +++ b/ocserv.spec @@ -0,0 +1,183 @@ +%global _unpackaged_files_terminate_build 1 +%define _localstatedir /var +%def_with maxmind +%def_enable man +%def_disable check + +Name: ocserv +Version: 1.2.1 +Release: alt1 + +Summary: OpenConnect SSL VPN server +License: GPLv2+ +Group: System/Servers + +Url: http://www.infradead.org/ocserv/ +Source: %name-%version.tar +Patch: %name-%version-%release.patch + +BuildRequires: libnettle-devel >= 2.7 +BuildRequires: libgnutls-devel >= 3.3.0 +BuildRequires: libprotobuf-c-devel protobuf-c-compiler +BuildRequires: libev-devel +BuildRequires: libtalloc-devel +BuildRequires: libnl-devel >= 3.1 +%if_with maxmind +BuildRequires: libmaxminddb-devel >= 1.0.0 +%else +BuildRequires: libGeoIP-devel >= 1.6.0 +%endif +BuildRequires: libreadline-devel +BuildRequires: liboath-devel +BuildRequires: libpam-devel +BuildRequires: uid_wrapper socket_wrapper nss_wrapper pam_wrapper +BuildRequires: libradcli-devel >= 1.2.5 +BuildRequires: libseccomp-devel +BuildRequires: libsystemd-devel +BuildRequires: libhttp-parser-devel +BuildRequires: liblz4-devel +BuildRequires: libkrb5-devel libtasn1-devel >= 3.4 +BuildRequires: libpcl-devel +BuildRequires: iproute2 gnutls-utils +BuildRequires: gperf +BuildRequires: haproxy +BuildRequires: openconnect +BuildRequires: curl +BuildRequires: gssntlmssp +BuildRequires: /proc +%if_enabled man +BuildRequires: /usr/bin/ronn +%endif + +Requires: gnutls-utils +Requires: iproute2 + +%description +OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a +secure, small, fast and configurable VPN server. It implements the OpenConnect +SSL VPN protocol, and has also (currently experimental) compatibility with +clients using the AnyConnect SSL VPN protocol. The OpenConnect VPN protocol +uses the standard IETF security protocols such as TLS 1.2, and Datagram TLS +to provide the secure VPN service. + +%prep +%setup +%patch -p1 + +rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h +rm -rf src/protobuf/protobuf-c/ +touch src/*.proto +rm -rf src/ccan/talloc +rm -f src/pcl/*.c src/pcl/*.h +sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c +sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config + +%build +%autoreconf + +%configure \ + --enable-systemd \ + --without-libwrap \ + --without-root-tests \ + --runstatedir=/run \ + %{subst_with maxmind} + +%make_build + +%install +%makeinstall_std + +mkdir -p %buildroot%_sysconfdir/pam.d +mkdir -p %buildroot%_sysconfdir/ocserv +install -p -m 644 ocserv-pamd.conf %buildroot%_sysconfdir/pam.d/ocserv +install -p -m 644 ocserv.conf %buildroot%_sysconfdir/ocserv +mkdir -p %buildroot%_localstatedir/lib/ocserv +install -p -m 644 doc/profile.xml %buildroot%_localstatedir/lib/ocserv +mkdir -p %buildroot%_unitdir +install -p -m 644 doc/systemd/standalone/%name.service %buildroot%_unitdir +install -p -m 755 doc/scripts/ocserv-script %buildroot%_bindir +mkdir -p %buildroot%_initrddir +install -D -m 0755 ocserv.init %buildroot%_initrddir/%name + +%check +export PATH=/sbin:/usr/sbin:$PATH +%make check VERBOSE=1 + +%pre +%_sbindir/groupadd -r -f %name 2>/dev/null ||: +%_sbindir/useradd -r -g %name -G %name -c 'Ocserv VPN Daemon' \ + -s /sbin/nologin -d %_localstatedir/lib/%name %name 2>/dev/null ||: + +%post +%post_service %name + +%preun +%preun_service %name + +%files +%doc NEWS COPYING README.md +%dir %_localstatedir/lib/ocserv +%dir %_sysconfdir/ocserv +%config(noreplace) %_sysconfdir/ocserv/ocserv.conf +%config(noreplace) %_sysconfdir/pam.d/ocserv +%if_enabled man +%_man8dir/* +%endif +%_bindir/ocpasswd +%_bindir/occtl +%_bindir/%name-fw +%_bindir/%name-script +%_sbindir/%name +%_sbindir/%name-worker +%_localstatedir/lib/ocserv/profile.xml +%_unitdir/%name.service +%_initdir/%name + +%changelog +* Thu Sep 07 2023 Alexey Shabalin 1.2.1-alt1 +- 1new version 1.2.1 + +* Tue Dec 27 2022 Alexey Shabalin 1.1.6-alt2 +- Backported upstream patches +- Disable check (new hasher or make?) + +* Wed Mar 02 2022 Alexey Shabalin 1.1.6-alt1 +- new version 1.1.6 + +* Wed Dec 22 2021 Alexey Shabalin 1.1.5-alt1 +- new version 1.1.5 + +* Thu Sep 16 2021 Michael Shigorin 1.1.3-alt1.1 +- introduce man knob (on by default) + +* Mon Jul 19 2021 Alexey Shabalin 1.1.3-alt1 +- new version 1.1.3 + +* Fri May 28 2021 Alexey Shabalin 1.1.2-alt3 +- fixed check on 32-bit arches (glebfm@) + +* Sun May 16 2021 Alexey Shabalin 1.1.2-alt2 +- disable check for 32-bit arches + +* Fri Jan 29 2021 Alexey Shabalin 1.1.2-alt1 +- new version 1.1.2 + +* Tue Nov 24 2020 Alexey Shabalin 1.1.1-alt1 +- new version 1.1.1 + +* Tue Jul 21 2020 Alexey Shabalin 1.1.0-alt1 +- new version 1.1.0 + +* Fri May 08 2020 Alexey Shabalin 1.0.1-alt1 +- new version 1.0.1 + +* Thu Apr 02 2020 Alexey Shabalin 1.0.0-alt1 +- new version 1.0.0 + +* Thu Dec 19 2019 Alexey Shabalin 0.12.5-alt1 +- 0.12.5 +- build with libmaxminddb + +* Tue Sep 24 2019 Alexey Shabalin 0.12.4-alt1 +- initial build for ALT + diff --git a/src/worker-privs.c b/src/worker-privs.c index c48bce26..33b4a035 100644 --- a/src/worker-privs.c +++ b/src/worker-privs.c @@ -104,7 +104,11 @@ int disable_system_calls(struct worker_st *ws) /* Socket wrapper tests use additional syscalls; only enable * them when socket wrapper is active */ if (getenv("SOCKET_WRAPPER_DIR") != NULL) { +#ifdef __NR_lstat64 + ADD_SYSCALL(lstat64, 0); +#endif ADD_SYSCALL(readlink, 0); + ADD_SYSCALL(readlinkat, 0); } /* we use quite some system calls here, and in the end diff --git a/tests/data/haproxy-auth.cfg b/tests/data/haproxy-auth.cfg index c7570b9e..7bcbfa2b 100644 --- a/tests/data/haproxy-auth.cfg +++ b/tests/data/haproxy-auth.cfg @@ -1,6 +1,6 @@ global - user haproxy - group haproxy + user _haproxy + group _haproxy #daemon # Default SSL material locations