Re: [Fwd: Socks support in CVS]

[Nicolas Catania]

Hey Mark,

You are right that there are the dante toolkit. There is another one
also part of the Debian linux distribution (can't rememeber the name)
but these seem completely unsupported and non windows friendly. On top
of that you have to deal with all the licencing issues...

Typically these toolkits provide a client lib to socksify applications
and a socks server. While the socks daemon can be complex, the client
side is pretty simple (small code modification).

Like you said, this is a client only modification. Socks v4 is secured
as long as you trust the person inside your firewall. If you don;t and
want to restrict access to external connection then socks v5 is the
solution. 

As a comparaison, you can think that you would have to authenticate
with your web proxy each time you retrieve a web page outside your
firewall (socks v5). Typically, http proxy accept connection from
everyone, similar to sock v4 does at the tcp level.

I think that as far as testing is concerned, I could test for
bad/invalid config files, socks server connectivity problem (listen
but never accept).

Let me know what you decide. I still believe that this would be very
beneficial to the open source community at large.

Thanks

Niko


"Mark D. Baushke" <mdb@cvshome.org>, nicolas.catania@hp.com writes:
 > Hi Nicolas,
 > 
 > Nicolas Catania <nicolas.catania@hp.com> writes:
 > 
 > > Folks,
 > > 
 > > On the socks version:
 > > ====================
 > > True that v5 superseeded v4. Still many companies are still using
 > > v4. V4 does not precludes v5. Typically environemnt variables and
 > > config files are used to switch between the 2.
 > 
 > I am given to understand that v4 and v5 really do not interoperate as
 > such, so I guess it makes sense that users could configure to use one or
 > the other.
 > 
 > > On the implementation:
 > > ======================
 > > There are no free implementation for windows that is really convenient
 > > (free unlimited licence). Linux and other UN*X system use a runsocks
 > > program that intercept calls using dynamic library loading order.
 > 
 > I was under the impression that dante was a free socks v4/v5 implementation.
 > 
 >     http://www.inet.no/dante/
 > 
 > However, it may be that a good port for windows does not exist for that
 > version?
 > 
 > > On the socks v4 non-standard:
 > > ============================
 > > Actually socks v4 became a de-facto standard. After its success, NEC
 > > wanted to make money out of it and published socks v5 with some added
 > > security. The problem is that lazy firewall administrator did not buy
 > > it and most of the time sticked with v4. The authorization management
 > > was something that they were not prepared to deal with.
 > > 
 > > I think that support for socks v4 or v5 would give a greater
 > > flexibility to the cvs client. While SSH is still recommened, I don't
 > > see why we should prevent people to use socks if they wish to (e.g. to
 > > checkout open source repositories).
 > > 
 > > Bottom line is that I have a wroking socks v4 extension to cvs on my
 > > harddrive. I could contribute it. If you want it let me know and I'll
 > > write the documentation for it as well and maybe will write V5 support
 > > as well. If you do not want it, well... I'll keep it.
 > > 
 > > Thanks
 > > 
 > > Niko
 > > 
 > > PS: You can enable/disable my code using --enble-socks at configuration 
 > > time.
 > 
 > Hmmm... I have no strong opinions one way or the other on this right now
 > other than my normal inertia against introducing something that may have
 > negative security implications. 
 > 
 > Just to be clear, it would just be the client that needs to worry about
 > getting thru the firewall, right? If so, I do not see a big problem with
 > adding some kind of socks support in theory. 
 > 
 > Testing it could also be a problem as I personally do not use socks for
 > anything here. How easy is it to test a socks client?
 > 
 >      -- Mark

-- 
Nicolas Catania

Web Services Management Operation
HP Openview Division
+1 408 447-4564
nicolas_catania@hp.com