diff --git a/CHANGES b/CHANGES index 2f59152..2ef39af 100755 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,17 @@ +Changes to proxytunnel version 1.2.0 -- Thu Sep 30 11:22:03 CEST 2004 + +- Added patch by Fred Donck to store proxy username + and password in environment variables. + + Security fix + ------------ + + - Modified cmdline.c to allow passing of proxyuser and proxypass as + environment variables to prevent other users on same machine from + snooping sensitive info. + -U for env var that contains the proxy user + -S for env var that contains the proxy user's password + Changes to proxytunnel version 1.1.4 -- Wed Jun 23 21:05:35 CEST 2004 - Small solaris fix diff --git a/CREDITS b/CREDITS index 1811869..837638f 100644 --- a/CREDITS +++ b/CREDITS @@ -11,6 +11,7 @@ people. Martin Senft - Solaris patches Andrew Griffiths - String format fixes Dieter Heiliger - User-agent header idea + Fred Donck - User/Pass Env Vars Furthermore we would like to thank the wonderful people at SourceForge diff --git a/README b/README index f6e9f02..78bf893 100755 --- a/README +++ b/README @@ -3,8 +3,8 @@ proxytunnel ----------- Author: Jos Visser , Mark Janssen -Date: Wed Jun 23 21:06:26 CEST 2004 -Version: 1.1.4 +Date: Thu Sep 30 11:22:03 CEST 2004 +Version: 1.2.0 Hi all, @@ -22,7 +22,7 @@ Proxytunnel is very easy to use, when running proxytunnel with the help option it specifies it's command-line options. $ ./proxytunnel --help -Proxytunnel 1.0.7 +Proxytunnel 1.2.0 Jos Visser (Muppet) , Mark Janssen (Maniac) Purpose: @@ -32,16 +32,26 @@ Usage: Proxytunnel [OPTIONS]... -h --help Print help and exit -V --version Print version and exit -i --inetd Run from inetd (default=off) + -a INT --standalone=INT Run as standalone daemon on specified port -u STRING --user=STRING Username to send to HTTPS proxy for auth -s STRING --pass=STRING Password to send to HTTPS proxy for auth + -U STRING --uservar=STRING Env var with Username for HTTPS proxy auth + -S STRING --passvar=STRING Env var with Password for HTTPS proxy auth -g STRING --proxyhost=STRING HTTPS Proxy host to connect to -G INT --proxyport=INT HTTPS Proxy portnumber to connect to -d STRING --desthost=STRING Destination host to built the tunnel to -D INT --destport=INT Destination portnumber to built the tunnel to + -H STRING --header=STRING Add STRING to HTTP headers sent to proxy -n --dottedquad Convert destination hostname to dotted quad -v --verbose Turn on verbosity (default=off) -q --quiet Suppress messages (default=off) +Examples: +Proxytunnel [ -h | -V ] +Proxytunnel -i [ -u user -s pass ] -g host -G port -d host -D port [ -n ] [ -v | -q ] +Proxytunnel -i [ -U envvar -S envvar ] -g host -G port -d host -D port [ -n ] [ -v | -q ] +Proxytunnel -a port [ -u user -s pass ] -g host -G port -d host -D port [ -n ] [ -v | -q ] + To use this program with OpenSSH to connect to a host somewhere, create a $HOME/.ssh/config file with the following content: @@ -62,7 +72,9 @@ With: - 443 The port number of the SSH daemon on mybox.athome.nl If your proxy doesn't require the username and password for using it, -you can skip these options. +you can skip these options. If you are on a 'shared' system it's recommendable +to store your proxy user/password data in environment variables and then tell +proxytunnel which variables to check for this data. If you want to run proxytunnel from inetd add the '--inetd' option. diff --git a/cmdline.c b/cmdline.c index d4fa323..fd99c17 100755 --- a/cmdline.c +++ b/cmdline.c @@ -59,6 +59,8 @@ cmdline_parser_print_help (void) #endif " -u STRING --user=STRING Username to send to HTTPS proxy for auth\n" " -s STRING --pass=STRING Password to send to HTTPS proxy for auth\n" +" -U STRING --uservar=STRING Env var with Username for HTTPS proxy auth\n" +" -S STRING --passvar=STRING Env var with Password for HTTPS proxy auth\n" " -g STRING --proxyhost=STRING HTTPS Proxy host to connect to\n" " -G INT --proxyport=INT HTTPS Proxy portnumber to connect to\n" " -d STRING --desthost=STRING Destination host to built the tunnel to\n" @@ -71,7 +73,8 @@ cmdline_parser_print_help (void) printf( "\nExamples:\n" "%s [ -h | -V ]\n" "%s -i [ -u user -s pass ] -g host -G port -d host -D port [ -n ] [ -v | -q ]\n" -"%s -a port [ -u user -s pass ] -g host -G port -d host -D port [ -n ] [ -v | -q ]\n", PACKAGE, PACKAGE, PACKAGE ); +"%s -i [ -U envvar -S envvar ] -g host -G port -d host -D port [ -n ] [ -v | -q ]\n" +"%s -a port [ -u user -s pass ] -g host -G port -d host -D port [ -n ] [ -v | -q ]\n", PACKAGE, PACKAGE, PACKAGE, PACKAGE ); #ifndef HAVE_GETOPT_LONG @@ -134,6 +137,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar clear_args(); optarg = 0; + char * tmp_env_var; #ifdef HAVE_GETOPT_LONG optind = 1; @@ -152,6 +156,8 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar { "version", 0, NULL, 'V' }, { "user", 1, NULL, 'u' }, { "pass", 1, NULL, 's' }, + { "uservar", 1, NULL, 'U' }, + { "passvar", 1, NULL, 'S' }, { "proxyhost", 1, NULL, 'g' }, { "proxyport", 1, NULL, 'G' }, { "desthost", 1, NULL, 'd' }, @@ -165,9 +171,9 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar { NULL, 0, NULL, 0 } }; - c = getopt_long (argc, argv, "hVia:u:s:g:G:d:D:H:nvq", long_options, &option_index); + c = getopt_long (argc, argv, "hVia:u:s:U:S:g:G:d:D:H:nvq", long_options, &option_index); #else - c = getopt( argc, argv, "hVia:u:s:g:G:d:D:H:nvq" ); + c = getopt( argc, argv, "hVia:u:s:U:S:g:G:d:D:H:nvq" ); #endif if (c == -1) break; /* Exit from `while (1)' loop. */ @@ -209,7 +215,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar case 'u': /* Username to send to HTTPS proxy for authentication. */ if (args_info->user_given) { - fprintf (stderr, "%s: `--user' (`-u') option given more than once\n", PACKAGE); + fprintf (stderr, "%s: `--user' (`-u') or `--uservar' (`-U') option given more than once\n", PACKAGE); clear_args (); exit (1); } @@ -217,10 +223,27 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->user_arg = gengetopt_strdup (optarg); break; + case 'U': /* Env Var with Username to send to HTTPS proxy for authentication. */ + if (args_info->user_given) + { + fprintf (stderr, "%s: `--user' (`-u') or `--uservar' (`-U') option given more than once\n", PACKAGE); + clear_args (); + exit (1); + } + tmp_env_var = getenv(optarg) ; + if (!tmp_env_var) { + fprintf (stderr, "%s Invalid environment variable\n", optarg) ; + clear_args (); + exit (1); + } + args_info->user_given = 1; + args_info->user_arg = gengetopt_strdup (tmp_env_var); + break; + case 's': /* Password to send to HTTPS proxy for authentication. */ if (args_info->pass_given) { - fprintf (stderr, "%s: `--pass' (`-s') option given more than once\n", PACKAGE); + fprintf (stderr, "%s: `--pass' (`-s') or `--passvar' (`-S') option given more than once\n", PACKAGE); clear_args (); exit (1); } @@ -228,6 +251,23 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->pass_arg = gengetopt_strdup (optarg); break; + case 'S': /* Env Var with Password to send to HTTPS proxy for authentication. */ + if (args_info->pass_given) + { + fprintf (stderr, "%s: `--pass' (`-s') or `--passvar' (`-S') option given more than once\n", PACKAGE); + clear_args (); + exit (1); + } + tmp_env_var = getenv(optarg) ; + if (!tmp_env_var) { + fprintf (stderr, "%s Invalid environment variable\n", optarg) ; + clear_args (); + exit (1); + } + args_info->user_given = 1; + args_info->user_arg = gengetopt_strdup (tmp_env_var); + break; + case 'g': /* HTTPS Proxy host to connect to. */ if (args_info->proxyhost_given) { diff --git a/config.h b/config.h index b9ef81c..691f06e 100755 --- a/config.h +++ b/config.h @@ -1,4 +1,4 @@ -/* Proxytunnel - (C) 2001-2002 Jos Visser / Mark Janssen */ +/* Proxytunnel - (C) 2001-2004 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#define VERSION "1.1.4" +#define VERSION "1.2.0" #define PACKAGE "Proxytunnel" #define PURPOSE "Build generic tunnels through HTTPS proxies" #define AUTHORS "Jos Visser (Muppet) , Mark Janssen (Maniac) "