Article delegate-en/3970 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3962@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: parameter encryption with -Fenc (Re: Delegate - encrypted .cdh config on win xp)
12 May 2008 08:37:55 GMT "Killian, Jan" <ppahqbdyi-xg5aseezbelr.ml@ml.delegate.org>


Hi Yutaka,

I moved the proxy (dg 9.8.1) to linux, where the encryption (-Fenc)
works OK :-)

Just one more question: can I somehow make delegate to not put my parent
proxy password into logs and '$dgroot/etc/params/${port/:/_}' file?

Currently I'm just removing the params file, and replacing the passwords
in logfile with ***. Doing that just after delegate start works ok for
me, but is not very clean ;-)

Also if anyone's interested, I'm attaching some bash scripts I use with
delegate:

addprivateproxy		.. make encrypted /etc/delegate/$user/dg.enc,
plaintext /etc/delegate/$user/dg.port, and create dgroot
/var/delegate/$user
startprivateproxy		.. start proxy with encrypted
configuration for current user
stopprivateproxy		.. stop
tailprivateproxy		.. display log in multitail
proxy_shell		.. create special user for running the proxy,
and give him this shell for proxy control via ssh
sedf			.. shortcut to apply sed command on file, used
by startprivateproxy to remove parent proxy password from logfile

The encryption password is generated to allow automatic start (security
by obscurity), which can be easily changed to prompt.

Enjoy!
Jan
 

-----Original Message-----
From: Killian, Jan 
Sent: Monday, May 05, 2008 2:16 PM
To: 'feedback@delegate.org'
Subject: RE: parameter encryption with -Fenc (Re: Delegate - encrypted
.cdh config on win xp)

Hi Yutaka,

Thanks for your kind and detailed explanation of the credhy/enc/imp
concepts.

I tried the first 2 methods with 9.8.1 and 9.7.7-fix1, but it does not
work for me on xp sp2.

0. Unencrypted:

    * edited dg.cnf to contain:
        MYAUTH=**USERDOMAIN**\\**USERNAME**:**PASSWORD**:http-proxy

    * excecuted:
        "d:\app\delegate\dg.exe" -P**PORT** -r -vt  -- SERVER=http
PROXY="**PARENT_PROXY**:**PARENT_PROXY_PORT**" DGROOT="d:\tmp\.dg"
ADMIN="**USERNAME**" CACHE=no RES_WAIT=0 PERMIT=*:*:-/22
+=d:\tmp\.dg\dg.cnf

    => everything worked OK


1. Credhy:

    * generated random config password:
        1a1dd8f59d8d585ca91bffd8f9db50b7

    * encrypted config file:
        "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fcredhy
1a1dd8f59d8d585ca91bffd8f9db50b7  <  dg.cnf  >  dg.cdh
        KEY =
62201621622B273AB65F44C8597779D45461D4267A8E119BA7576FA82102728ACDFC
        CRC32 = 0xB1004B5D 2969586525

    * stored config password in dgauth:
        "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fauth -a
config:1a1dd8f59d8d585ca91bffd8f9db50b7 -dgauth@admin
        **** Specify the key of encryption for 'dgauth'
        **** CRYPT=pass:temppwd
        +OK added the auth.
        PATH:
d:\tmp\.dg/adm/authorizer/-dgauth@admin/e42d0b5c151e782b46c5374afb07528f
        AUTH: dgauth://config@-dgauth@admin:8787
        PASS: a900f83595ab4c61e25be86188fe355f
0B0A6EC74A42BFF7FDAD3304C5BD0DFF205F6D8F61425A1DF90D109ADE77958867768790
44D11B862EEB61FA7E5749EXPIRE: 1B

    * started delegate:
        * "d:\app\delegate\dg.exe" -P**PORT** -r -vt  -- SERVER=http
PROXY="**PARENT_PROXY**:**PARENT_PROXY_PORT**" DGROOT="d:\tmp\.dg"
ADMIN="**USERNAME**" CACHE=no RES_WAIT=0 PERMIT=*:*:-/22
+=d:\tmp\.dg\dg.cdh
        **** Specify the key of encryption for 'dgauth'
        **** CRYPT=pass:temppwd
        "d:\tmp\.dg/act/pid/**PORT**": kill(2572,SIGTERM) = -1 (0) **
ERROR **
        Config: WindowsNT; FileSize-Bits=64/64,32/32,32;
sockbuf=0000/0000X; sockpair=8192/64512,2016++; thread=Winthread;
stty=none; fmem=953/0/2047M; MSC=1400
        DeleGate/9.7.7-fix1 (November 14, 2007)

    => browser connection to proxy timed out:

        05/05 13:55:47.36 [2104] 0+0: ... gethostname(**HOSTNAME**)
        05/05 13:55:47.36 [2104] 0+0: configuring default RESOLV ...
        05/05 13:55:47.36 [2104] 0+0: ... gethostname()='**HOSTNAME**'
        05/05 13:55:47.36 [2104] 0+0: ... SYS: **HOSTNAME** -> **MY_IP**
        05/05 13:55:47.42 [2104] 0+0: ... DNS: **MY_IP** ->
**HOSTNAME**.**MY_DOMAIN**
        05/05 13:55:47.42 [2104] 0+0: ... DNS available
        05/05 13:55:47.42 [2104] 0+0: ... NIS not available (no default
domain)
        05/05 13:55:47.42 [2104] 0+0: ... export RES_ORDER=CFD
        05/05 13:55:47.42 [2104] 0+0: export RESOLV=cache,file,dns (set
by default)
 
SRCSIGN=9.7.7-fix1:20071114171500+0900:2e734f2b9afeeb83:Author@DeleGate..
ORG:InIqseLisMa5s/g8g4TxnCZqRxPujG6ho6PMayMdxITXCowDzJC6CqkGe2DJSCCpaaMZ
wzVIPinIp0Y/9UMecCDEtCNaMe6Jrx6ZvT8KwUdLhaj5OJxu9kyuaiT4em/iPlfQPmVrpvRU
yT26/4uYWkbp+6i+onxQ8zk9yb0jpAE=
        BLDSIGN=9.7.7-fix1:20071114171724+0900:2e734f2b9afeeb83::-
        05/05 13:55:47.43 [2104] 0+0: --INITIALIZATION
START-08050513+0100: 9.7.7-fix1 on WindowsNT--
        05/05 13:55:47.43 [2104] 0+0: EXECDIR=d:\app\delegate
        05/05 13:55:47.43 [2104] 0+0: BINSHELL=/bin/sh
        05/05 13:55:47.43 [2104] 0+0: MAXIMA=delegated:64 for small
mem=945M
        (WIN) 55:47.434 [2104] #### send_file (2104,1)[1876,7] ->
2104[1864,0] (0,Err=87)
        (WIN) 55:47.434 [2104] #### file to be sent fd=1 -> 0 8380000
137887744
        05/05 13:55:47.51 [2104] 0+0: #### KEY CRYPT=master DUMPED
4B0D8D8C TO
d:\tmp\.dg/adm/authorizer/31b73f7af387eceac89f05ba7df52d25/save/-dgauth
        05/05 13:55:47.51 [2104] 0+0: #### start a service...
        05/05 13:55:47.53 [2104] 0+0:
server_open(delegate,:**PORT**,listen=20)
        05/05 13:55:47.53 [2104] 0+0: server_open(delegate,:**PORT**)
BOUND
        05/05 13:55:52.65 [3512] 0+0: ## RES_ORDER=CFD
        05/05 13:55:52.67 [3512] 0+0: ... gethostname(**HOSTNAME**)
 
SRCSIGN=9.7.7-fix1:20071114171500+0900:2e734f2b9afeeb83:Author@DeleGate..
ORG:InIqseLisMa5s/g8g4TxnCZqRxPujG6ho6PMayMdxITXCowDzJC6CqkGe2DJSCCpaaMZ
wzVIPinIp0Y/9UMecCDEtCNaMe6Jrx6ZvT8KwUdLhaj5OJxu9kyuaiT4em/iPlfQPmVrpvRU
yT26/4uYWkbp+6i+onxQ8zk9yb0jpAE=
        BLDSIGN=9.7.7-fix1:20071114171724+0900:2e734f2b9afeeb83::-
        05/05 13:55:52.68 [3512] 0+0: --INITIALIZATION
START-08050513+0100: 9.7.7-fix1 on WindowsNT--
        05/05 13:55:52.68 [3512] 0+0: EXECDIR=d:\app\delegate
        05/05 13:55:52.68 [3512] 0+0: BINSHELL=/bin/sh
        05/05 13:55:52.68 [3512] 0+0: MAXIMA=delegated:64 for small
mem=946M
        05/05 13:55:52.70 [3512] 0+0:
server_open(delegate,:**PORT**,listen=20)
        05/05 13:55:52.75 [3512] 0+0: server_open(delegate,:**PORT**)
BOUND
        05/05 13:55:52.75 [3512] 0+0: DGROOT=d:\tmp\.dg^M
        05/05 13:55:52.75 [3512] 0+0: <DeleGate/9.7.7-fix1> [3512]
-P**PORT** READY^M
        05/05 13:55:52.75 [3512] 0+0: PORT= **PORT**/10 (38,148)
        05/05 13:55:52.75 [3512] 0+0: OWNER=nobody => OWNER=?/?(?/?)
        05/05 13:55:52.76 [3512] 0+0: REMITTABLE =
http,https/{80,443},gopher,ftp,wais
        05/05 13:55:52.78 [3512] 0+0: --- [dgzlib1] 0 dglibdgzlib1.dll
        05/05 13:55:52.78 [3512] 0+0: --- [d:\app\delegate\dgzlib1.dll]
        05/05 13:55:52.78 [3512] 0+0: --- [dgzlib1] 10000000
d:\app\delegate\dgzlib1.dll
        05/05 13:55:52.78 [3512] 0+0: ---- [dgzlib1] loaded 15 syms,
unknown=0+0, already=0
        05/05 13:55:52.78 [3512] 0+0: +++ loaded Zlib
1.2.3.f-DeleGate-v2
        05/05 13:55:52.78 [3512] 0+0: #### gzip/gunzip = dynamically
linked
        05/05 13:55:52.78 [3512] 0+0: ADMIN=**USERNAME**
protocol=http(specialist)
        05/05 13:55:52.78 [3512] 0+0: WORKDIR=d:\tmp\.dg/work/**PORT**
        05/05 13:55:52.79 [3512] 0+0: MOUNT[0]X[2] /-/builtin/icons/* =
default
        05/05 13:55:52.79 [3512] 0+0: MOUNT[1]X[3] /-/* =
forbidden,from=!.RELIABLE,default
        05/05 13:55:52.79 [3512] 0+0: MOUNT[2]X[0] /-* = default
        05/05 13:55:52.79 [3512] 0+0: MOUNT[3]X[1] /=* = default
        05/05 13:55:52.79 [3512] 0+0: MOUNT[4]=[4] /favicon.ico
builtin:icons/ysato/default.ico
default,direction=fo,onerror=404,expires=15m
        05/05 13:55:52.79 [3512] 0+0: #### stack size limit = FFFFFFFF
(-1)
        05/05 13:55:52.79 [3512] 0+0: Stay open PIDFILE for accept()
lock[fd=14]
        05/05 13:55:52.79 [3512] 0+0:
StickyReport[15,16]127.0.0.1:1823><127.0.0.1:1824 8192/64512 8192/65536
        05/05 13:55:52.79 [3512] 0+0: env[49]
LIBPATH=.;C:\WINDOWS\system32;d:\tmp\.dg/lib;d:\app\delegate;d:\tmp\.dg/
etc
        05/05 13:55:52.79 [3512] 0+0: arg[1]
LIBPATH=.;D:\Tmp\.dg;d:\tmp\.dg/lib;d:\app\delegate;d:\tmp\.dg/etc
        05/05 13:55:52.79 [3512] 0+0: arg[2] RESOLV=cache,file,dns
        05/05 13:55:52.79 [3512] 0+0: arg[3] SERVER=http
        05/05 13:55:52.79 [3512] 0+0: arg[4]
PROXY=**PARENT_PROXY**:**PARENT_PROXY_PORT**
        05/05 13:55:52.79 [3512] 0+0: arg[5] DGROOT=d:\tmp\.dg
        05/05 13:55:52.79 [3512] 0+0: arg[6] ADMIN=**USERNAME**
        05/05 13:55:52.79 [3512] 0+0: arg[7] CACHE=no
        05/05 13:55:52.79 [3512] 0+0: arg[8] RES_WAIT=0
        05/05 13:55:52.79 [3512] 0+0: arg[9] PERMIT=*:*:-/22
        05/05 13:55:52.82 [3512] 0+0: Encrypted with the CRYPT
MasterKey: 350->351 ${ETCDIR}/params/${PORT}.cdh
        05/05 13:55:52.82 [3512] 0+0: DELEGATE_Modified[1]: 481ef5c8
1209988552
        05/05 13:55:52.82 [3512] 0+0: --INITIALIZATION
DONE-08050513+0100: 9.7.7-fix1 on WindowsNT--
        (WIN) 55:58.184 [3512] spawn() = 380 [2584], children(alive=1/1)
0.047s
        05/05 13:55:58.18 [3512] 1+0: spawn() = 380 [2584],
children(alive=1/1) 0.047s
        05/05 13:56:28.48 [3580] 0+0: PORT> -P**PORT**
        05/05 13:56:28.48 [3580] 0+0: Kill(3512,15)
        (WIN) 56:28.481 [3580] kill(3512,15) = -1, failed
GetExitCodeProcess()
        05/05 13:56:28.48 [3580] 0+0: Kill(3512,15)=-1, errno=0
        (WIN) 56:28.496 [3580] [672] svc DO_FINALIZE 0 0
        (WIN) 56:28.668 [3512] [2276] svc Terminate...
        05/05 13:56:28.67 [3512] 1+0: TERMINATE...
        05/05 13:56:28.68 [3512] 1+0: #### KEY CRYPT=master DUMPED
4B0D8D8C TO
d:\tmp\.dg/adm/authorizer/31b73f7af387eceac89f05ba7df52d25/save/-dgauth
        05/05 13:56:28.68 [3512] 1+0: Kill(380,15)
        05/05 13:56:28.68 [3512] 1+0: StickyKill(15): 1/1 killed
        05/05 13:56:28.68 [3512] 1+0: unlinked
d:\tmp\.dg/work/**PORT**/3512
        05/05 13:56:28.68 [3512] 1+0: removed d:\tmp\.dg/work/**PORT**/
        (WIN) 56:28.684 [3512] wait3(N) = 380 [2584] 0,
children(alive=0/1) 0.00s
        05/05 13:56:28.68 [3512] 1+0: wait3(N) = 380 [2584] 0,
children(alive=0/1) 0.00s
        05/05 13:56:28.70 [3512] 1+0: TERMINATED.
        05/05 13:56:28.70 [3512] 1+0: AcceptByMain: break on TERMINATE.
        05/05 13:56:28.70 [3512] 1+0: main loop break on TERMINATE.
        05/05 13:56:28.70 [3512] 1+0: _main() done
        05/05 13:56:28.70 [3512] 1+0: SetStatus: STOPPED
        (WIN) 56:28.700 [3512] [1980] svc SetStatus: STOPPED
        05/05 13:56:28.70 [3512] 1+0: SetStatus: STOP
        (WIN) 56:28.700 [3512] [2276] svc SetStatus: STOP
        (WIN) 56:28.700 [3512] [1980] svc ExitThread() from
ServiceStart()
        (WIN) 56:28.700 [3512] [2276] svc start_service() done (1,1,0)
        (WIN) 56:28.700 [3512] [2276] svc DO_INITIALIZE -> DO_FINALIZE
        (WIN) 56:28.700 [3512] [2276] svc DO_FINALIZE 0 0


    * With 9.8.1 I also noticed that the browser request made delegate
spawn another dg.exe process, that was not later killed with -Fkill.
With 9.7.7-fix1 I cannot reproduce it anymore.



2. Enc:

    * encrypted config file:
        "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fenc -ktemppwd <
dg.cnf  >  dg.enc

    * started delegate:
        "d:\app\delegate\dg.exe" -P**PORT** -r -vt  -- SERVER=http
PROXY="**PARENT_PROXY**:**PARENT_PROXY_PORT**" DGROOT="d:\tmp\.dg"
ADMIN="**USERNAME**" CACHE=no RES_WAIT=0 PERMIT=*:*:-/22
+=d:\tmp\.dg\dg.enc
        **** PASSWD=ext:::temppwd
        Config: WindowsNT; FileSize-Bits=64/64,32/32,32;
sockbuf=0000/0000X; sockpair=8192/64512,2016++; thread=Winthread;
stty=none; fmem=954/0/2047M; MSC=1400
        DeleGate/9.7.7-fix1 (November 14, 2007)


    => browser immeadiatelly reported that it cannot connect to proxy:

        05/05 14:05:53.06 [2692] 0+0: ... gethostname(**HOSTNAME**)
        05/05 14:05:53.06 [2692] 0+0: configuring default RESOLV ...
        05/05 14:05:53.06 [2692] 0+0: ... gethostname()='**HOSTNAME**'
        05/05 14:05:53.06 [2692] 0+0: ... SYS: **HOSTNAME** -> **MY_IP**
        05/05 14:05:53.13 [2692] 0+0: ... DNS: **MY_IP** ->
**HOSTNAME**.**MY_DOMAIN**
        05/05 14:05:53.13 [2692] 0+0: ... DNS available
        05/05 14:05:53.13 [2692] 0+0: ... NIS not available (no default
domain)
        05/05 14:05:53.13 [2692] 0+0: ... export RES_ORDER=CFD
        05/05 14:05:53.13 [2692] 0+0: export RESOLV=cache,file,dns (set
by default)
 
SRCSIGN=9.7.7-fix1:20071114171500+0900:2e734f2b9afeeb83:Author@DeleGate..
ORG:InIqseLisMa5s/g8g4TxnCZqRxPujG6ho6PMayMdxITXCowDzJC6CqkGe2DJSCCpaaMZ
wzVIPinIp0Y/9UMecCDEtCNaMe6Jrx6ZvT8KwUdLhaj5OJxu9kyuaiT4em/iPlfQPmVrpvRU
yT26/4uYWkbp+6i+onxQ8zk9yb0jpAE=
        BLDSIGN=9.7.7-fix1:20071114171724+0900:2e734f2b9afeeb83::-
        05/05 14:05:53.13 [2692] 0+0: --INITIALIZATION
START-08050514+0100: 9.7.7-fix1 on WindowsNT--
        05/05 14:05:53.13 [2692] 0+0: EXECDIR=d:\app\delegate
        05/05 14:05:53.13 [2692] 0+0: BINSHELL=/bin/sh
        05/05 14:05:53.13 [2692] 0+0: MAXIMA=delegated:64 for small
mem=955M
        (WIN) 05:53.141 [2692] #### send_file (2692,1)[1880,7] ->
2692[1896,0] (0,Err=87)
        (WIN) 05:53.141 [2692] #### file to be sent fd=1 -> 0 A840000
176422912
        05/05 14:05:53.22 [2692] 0+0: CRC ERROR 0 FFFFFFB0
        05/05 14:05:53.22 [2692] 0+0: #### KEY PASSWD=ext DUMPED
61E46143 TO
/var/tmp/authorizer/6ca8a167c094fa1d8952965a912a2c63/save/-dgauth
        05/05 14:05:53.22 [2692] 0+0: #### start a service...
        05/05 14:05:53.23 [2692] 0+0:
server_open(delegate,:**PORT**,listen=20)
        05/05 14:05:53.23 [2692] 0+0: server_open(delegate,:**PORT**)
BOUND


Could you kindly look at it, if you see where I'm making anything wrong?

Thanks,
Jan 

-----Original Message-----
From: Yutaka Sato [mailto:feedback@delegate.org] 
Sent: Thursday, April 24, 2008 10:34 AM
To: feedback@delegate.org
Cc: Killian, Jan
Subject: parameter encryption with -Fenc (Re: Delegate - encrypted .cdh
config on win xp)

Jan,

In message <_A3961@delegate-en.ML_> on 04/24/08(16:23:34) I wrote:
 | |Then I encrypt the config:
 | |> "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fcredhy testpwd  <
dg.conf  >  dg.cdh
...
 | |**** Specify the key of encryption for 'dgauth'
 | |**** CRYPT=pass:testpwd
 |
 |Here you need to specify the "MasterKey" for the repository of
passwords
 |into which your "testpwd", the passphrase for encryption of
configuration
 |parameters, is stored.  And your passphrase needs to has been stored
into
 |the repository as follows, encrypted with a specified MasterKey:
 |
 | > dg.exe DGROOT=d:/tmp/.dg -Fauth -a config:testpwd -dgauth@admin
 | **** Specify the key of encryption for 'dgauth'
 | **** CRYPT=pass:MasterKey
 |
 |See <URL:http://www.delegate.org/delegate/Manual.htm?EncryptedConf>
for
 |more details.

I should have said that the encryption of configuration parameters by
"-Fcredhy" (introduced at DeleGate/9.0.1 ) was a very tentative one
without
ability of verification of integirity of the decripted data (with CRC or
MD5 or so).  Thus it generates broken data if a given key for decryption
is not equal to the one at the encryption, as shown in your case.

I added another way of encryption at DeleGate/9.4.0 by "-Fenc" which is
simpler (without password repository) and safer (with integirty check).
You can use it as follows:

 a) to see the usage

  > d.exe -Fenc
  Usage: -Fenc [-kKey] [infile] [-o outfile] [-a arg1 arg2 ...]

 b) generate an encrypted parameter

  > dg.exe -Fenc -ktestpwd -a MYAUTH=user:pass ADMIN=foo@bar
 
+=enc:ext::1bt.fMObaW4Mc0Y34Bp5tEPLoMY6pkvjB4RYCymttSPWd5vp6ghqieamCg==:

  (this "+=enc:ext::...:" is an encrypted representation of
"MYAUTH=user:pass ADMIN=foo@bar" with the encryption key "testpwd")

 c) use the encrypted parameter

  > dg.exe -v -P9999
+=enc:ext::1bt.fMObaW4Mc0Y34Bp5tEPLoMY6pkvjB4RYCymttSPWd5vp6ghqieamCg==:
SERVER=http ...
  **** PASSWD=ext:::testpwd

A little more tips:

 1) encryption
  > dg.exe -Fenc -ktestpwd < conf > conf.enc

 2) decription
  > dg.exe -Fdec -ktestpwd < conf.enc > conf

 3a) substitution (asked the password interactively)
  > dg.exe +=conf.enc
  **** PASSWD=ext:::testpwd

 3b) substitution giving the password
  > dg.exe +=conf.enc PASSWD=ext:::testpwd

 3c) substitution without an external file for configuration
  > dg.exe +=enc:ext::1bt. ............. :"

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V