This allows people to chroot sslh into a path to further harden it.
We have to rework the user logic a bit because we need to look up
the user details *before* we chroot (as we need to read /etc/passwd
files), but do the actual priv dropping *after* we chroot (so we
have permission to make the actual chroot call).
Similarly, we need to open the syslog before we drop privs because
/dev/log won't be available inside the chroot.
When building the source from a checked out tag, eg v1.15, VERSION will
equal v1.15. However, when building from anything other than a tagged
version, you get 'v1.15-4-g50432d5-dirty' meaning I was 4 patches in
front of v1.15, particularly '50432d5' was my current HEAD, and I had
uncommited changes, '-dirty'.
Very useful for folks submitting bug reports on versions they compiled
themselves.
Signed-off-by: Jason Cooper <jason@lakedaemon.net>
Corrected OpenVPN probe to support pre-shared secret
mode (OpenVPN port-sharing code is... wrong). Thanks
to Kai Ellinger for help in investigating and
testing.
Added an actual TLS/SSL probe.
Added configurable --on-timeout protocol
specification.
Added a --anyprot protocol probe (equivalent to what
--ssl was).
Makefile respects the user's compiler and CFLAG
choices (falling back to the current values if
undefined), as well as LDFLAGS.
(Michael Palimaka)
Added "After" and "KillMode" to systemd.sslh.service
(Thomas Weischuh).
Added LSB tags to etc.init.d.sslh
(Thomas Varis).
Added support for configuration file.
New protocol probes can be defined using regular
expressions that match the first packet sent by the
client.
sslh now connects timed out connections to the first
configured protocol instead of 'ssh' (just make sure
ssh is the first defined protocol).
sslh now tries protocols in the order in which they
are defined (just make sure sslh is the last defined
protocol).
Fixed calls referring to sockaddr length so they work
with FreeBSD.
Try target addresses in turn until one works if
there are several (e.g. "localhost:22" resolves to
an IPv6 address and an IPv4 address and sshd does
not listen on IPv6).
Fixed sslh-fork so killing the head process kills
the listener processes.
Heavily cleaned up test suite. Added stress test
t_load script. Added coverage (requires lcov).
Support for XMPP (Arnaud Gendre).
Updated README.MacOSX (Aaron Madlon-Kay).
WARNING: Options changed, you'll need to update your
start-up scripts! Log format changed, you'll need to
update log processing scripts!
Now supports IPv6 throughout (both on listening and
forwarding)
Logs now contain IPv6 addresses, local forwarding
address, and resolves names (unless --numeric is
specified).
Introduced long options.
Options -l, -s and -o replaced by their long
counterparts.
Defaults for SSL and SSH options suppressed (it's
legitimate to want to use sslh to mux OpenVPN and
tinc while not caring about SSH nor SSL).
Bind to multiple addresses with multiple -p options.
Support for tinc VPN (experimental).
Numeric logging option.
Changed log format to make it possible to link
connections to subsequent logs from other services.
Updated CentOS init.d script (Andre Krajnik).
Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
propagated to the child process, so we set up signals after
the fork.) (Franois FRITZ)
Added -o "OpenVPN" and OpenVPN probing and support.
Added single-threaded, select(2)-based version.
Added support for "Bold" SSH clients (clients that speak first)
Thanks to Guillaume Ricaud for spotting a regression
bug.
Added -f "foreground" option.
Added test suite. (only tests connexions. No test for libwrap,
setsid, setuid and so on) and corresponding 'make
test' target.
Added README.MacOSX (thanks Aaron Madlon-Kay)
Documented use with proxytunnel and corkscrew in
README.
