user at host fun with stunnel

Matt Best matthew.best at gmail.com
Thu Dec 9 07:53:53 EST 2004


On Thu, 9 Dec 2004 00:02:14 -0500 (EST), Paul-Andrew Joseph Miseiko
<esoteric at teardrop.ca> wrote:
> Not without modifications to the IRCD source code.
> 

I was afraid of that.  I'm thinking of hammering out a small script
that scans the active internet connections and just somehow correlate
that with the ircd.log.

> It is probably a better idea to use a client SSL patch with the IRCD.
> 
> Or you could just consider the "user at internal.ip" a "feature".

Yeah I think I'll just use spoofing.

> 
> ps. don't run stunnel as root.
> 
> -

Thanks for the tip.  I missed that.  I'm starting as user "irc" now.

Thanks again.

Kind regards, 

Matt

> Behind every great man is a great woman...and behind every great woman is some guy staring at her butt!
> 
> 
> 
> On Wed, 8 Dec 2004, Matt Best wrote:
> 
> > Hey again listers,
> >
> > I'm in a bit of an interesting quagmire here.  I use stunnel
> > (http://www.stunnel.org) to offer ircd over SSL to my users.
> >
> > This is my stunnel statement:
> >
> > /usr/sbin/stunnel -r 192.168.0.25:6667 -d 192.168.0.25:8887 -p
> > /etc/ssl/certs/stunnel.pem -o /var/log/stunnel.ext.log
> >
> > This reads as "listen on port 8887 and encrypt all connections to this
> > port, then redirect to port 6667".  The ircd is listening on 6667.   I
> > basically have a standard NAPT gateway in front of the server that
> > redirects port 8887 to 192.168.0.25.
> >
> > The problem with this, is I think it kinda breaks ident.  When a user
> > connects, they are alw connected as "root at 192.168.0.25", instead of
> > "user at isp-assigned-ip-address-or-hostname".
> >
> > Can anybody think of a way around this?  I understand this may be
> > beyond the scope of this list.  Any suggestions are appreciated.
> > Thanks.
> >
> > Kind regards,
> >
> > Matt
> >
> >
>



More information about the hybrid mailing list