Archive for the ‘dante’ Category

User based access control for Skype with Dante and FreeBSD 10

Saturday, October 4th, 2014

[20170512/ Another update. It actually came out that the latest Skype (confirmed with 7.36.0.101) does support socks, however there is an issue with the password length used to authenticate to the socks instance. Anything greater than 5 (five) characters fails. I don’t know whether it’s done deliberately, or there is some bug that’s never going to be fixed, but anyway, the workaround is either to use some generic account with the five-or-less-characters password, or disable socks authentication altogether./20170512]

[20170312/ Somewhere around first week of March 2017 (or end of February), Skype started dropping connections from versions 7.1.32.xx and below. When you try to log in, you’ll be presented with the message about outdated version. I’m not aware about any versions after 7.1.32 that support Socks. Despite of numerous bugs opened Socks functionality was never fixed, therefore the content of this article is no longer valid, and you won’t be able to use Skype with Socks. The configuration option is still there, but no connection attempts to the Socks server are made. Perhaps this is how they promote the usage of Skype Business Server./20170312]

Today we’re going to configure Dante running on FreeBSD 10.0-STABLE to allow Skype connectivity based on username/password stored in Active Directory. The version of Dante being used is 1.4.1 installed from ports and Active Directory is handled by Windows Server 2008 R2.

Note: as at the time of writing, the version of Dante available in FreeBSD ports collection is 1.4.0 and it’s marked as BROKEN because of the bug 192295. Use this patch to install 1.4.1.

Install required software:

  1. % cd /usr/ports/security/pam_ldap && make install clean
  2. % cd /usr/ports/net/dante && make install clean

Create /usr/local/etc/pam.d/sockd file:

  1. auth       required /usr/local/lib/pam_ldap.so
  2. account    required /usr/local/lib/pam_ldap.so
  3. password   required /usr/local/lib/pam_ldap.so

Create /usr/local/etc/ldap.conf file and fix permissions:

  1. host 10.9.128.1
  2. base OU=Users,DC=int,DC=domain,DC=org
  3. ldap_version 3
  4. binddn CN=socksd,OU=Users,DC=int,DC=domain,DC=org
  5. bindpw xxxxxxx
  6. pam_filter objectclass=user
  7. pam_login_attribute samaccountname
  1. % chmod 600 /usr/local/etc/ldap.conf

Adjust host, base, binddn and bindpw to reflect your environment.

Modify /usr/local/etc/sockd.conf file:

  1. logoutput: stdout /var/log/dante.log
  2. internal: 10.9.36.10 port = 1080
  3. external: 10.9.36.10
  4.  
  5. socksmethod: pam.username none
  6.  
  7. user.privileged: root
  8. user.unprivileged: nobody
  9. user.libwrap: nobody
  10.  
  11. client pass {
  12.         from: 10.9.128.0/24 port 1024-65535 to: 0.0.0.0/0
  13.         log: error connect disconnect
  14. }
  15.  
  16. socks pass {
  17.         from: 10.9.128.0/24 to: 0.0.0.0/0
  18.         command: connect udpassociate
  19.         socksmethod: pam.username
  20.         log: error connect disconnect iooperation
  21. }
  22.  
  23. socks pass {
  24.         from: 0.0.0.0/0 to: 10.9.128.0/24
  25.         command: udpreply
  26.         log: connect error
  27. }

Modify /etc/rc.conf to start Dante at boot:

  1. # enable dante
  2. sockd_enable="YES"

Configure Skype to use Socks with proxy authentication and check the logs of Dante:

  1. Oct  4 16:45:44 (1412433944.407661) sockd[482]: info: pass(1): tcp/accept [: 10.9.128.47.59574 10.9.36.10.1080
  2. Oct  4 16:45:44 (1412433944.525454) sockd[483]: info: pass(1): udp/udpassociate [: pam.username%usera@0.0.0.0.64526 10.9.36.10.60780
  3. Oct  4 16:45:49 (1412433949.196857) sockd[630]: info: pass(1): tcp/accept [: 10.9.128.47.59578 10.9.36.10.1080
  4. Oct  4 16:45:49 (1412433949.378804) sockd[499]: info: pass(1): tcp/connect [: pam.username%usera@10.9.128.47.59578 10.9.36.10.1080 -> 10.9.36.10.59578 64.4.23.143.33033
  5. Oct  4 16:45:49 (1412433949.380925) sockd[499]: info: pass(1): tcp/connect -: pam.username%usera@10.9.128.47.59578 10.9.36.10.1080 -> 10.9.36.10.59578 64.4.23.143.33033 (35)
  6. Oct  4 16:45:49 (1412433949.544730) sockd[499]: info: pass(1): tcp/connect -: 64.4.23.143.33033 10.9.36.10.59578 -> 10.9.36.10.1080 pam.username%usera@10.9.128.47.59578 (63)
  7. Oct  4 16:45:49 (1412433949.548340) sockd[499]: info: pass(1): tcp/connect -: pam.username%usera@10.9.128.47.59578 10.9.36.10.1080 -> 10.9.36.10.59578 64.4.23.143.33033 (40)
  8. Oct  4 16:45:49 (1412433949.706747) sockd[499]: info: pass(1): tcp/connect -: 64.4.23.143.33033 10.9.36.10.59578 -> 10.9.36.10.1080 pam.username%usera@10.9.128.47.59578 (3)
  9. Oct  4 16:45:49 (1412433949.962844) sockd[499]: info: pass(1): tcp/connect -: 64.4.23.143.33033 10.9.36.10.59578 -> 10.9.36.10.1080 pam.username%usera@10.9.128.47.59578 (144)

Since Dante is quite talkative make sure to rotate logs by editing /etc/newsyslog.conf file:

  1. /var/log/dante.log                      640  3     100  *     JB    /var/run/sockd.pid