A Thumbnail Guide to System Security for Linux: Part III — SSL-Wrapping Services: a Working Example

BY ADAM THORNTON A Thumbnail Guide to System Security for Linux: Part III — SSL-Wrapping Services: A Working Example

ith the aid of a little Linux wizardry, the author demonstrates how to convert a useful but Winsecure service to an equally useful, but far more secure service. By simply inserting a transparent SSL proxy into the data stream of the connection, you can encrypt a service without requiring any modification to the application providing that service.

month, I examined in general terms how to harden multiple folders and allows users to create their own sub- LAST a Linux server; most of folders. Its current revision level is my advice came down to two basic IMAP4rev1. precepts: Do not run services you do POP and IMAP are two Most mail client programs can use not need and avoid protocols (where common mail access either POP or IMAP; traditionally possible) that exchange authentication IMAP is more convenient for the user, information in cleartext. I also briefly services. Each service takes because of its greater flexibility. addressed how to tighten file permis- a set of mail messages and However, due to its complexity, IMAP sions with SuSE’s permissions tool has been regarded as less secure, and controlled from /etc/rc.config. presents that set to a user’s an IMAP server will require more This month, I will examine two mail client program. The resources than a POP server. common Web-based services, IMAP However, in their basic forms, both and POP3, as well as illustrate how to Post Office Protocol (POP) POP and IMAP transmit passwords in use a wrapper program to enable was designed to download cleartext. Although this may be these services to perform their trans- acceptable for use on a trusted LAN, actions over a Secure Sockets Layer mail from a central server it is clearly inappropriate for remote (SSL) channel. to a client machine; the users or in an environment where you cannot know the trustworthiness of all POP AND IMAP revision currently in use is machines on the network (i.e., some known as POP3. university settings where students can POP and IMAP are two common attach their own computers to the mail access services. Each service The Internet Message campus network). takes a set of mail messages and Access Protocol (IMAP) presents that set to a user’s mail client SSL program. The Post Office Protocol is somewhat more (POP) was designed to download mail sophisticated, and really Enter SSL. SSL provides a mecha- from a central server to a client nism for transport-layer encryption. machine; POP3 is the revision cur- represents a protocol for That is, a connection negotiates a key rently in use. The Internet Message working with remote files. exchange, and then all further traffic Access Protocol (IMAP) is somewhat over that connection is encrypted and more sophisticated, and really repre- thus protected from snooping. SSL is sents a protocol for working with remote files: It supports designed to be a drop-in replacement for traditional network

TECHNICAL SUPPORT • MARCH 2002 ©2002 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. FIGURE 1: DIAGRAM OF SSL PROXY PORT SETUP FIGURE 2: UNPACKING THE STUNNEL SOURCE PACKAGE

cd /usr/local/src tar xvfz ~/stunnel-3.22.tar.gz cd stunnel-3.22

FIGURE 3: COMMANDS TO COMPILE AND INSTALL STUNNEL

./configure make make install

There are two commonly available tools under Linux to do this, although, sadly enough, neither tool is available as a base package under SuSE 7.0 GA. This means that you will have to grab one or the other of them and build it from source. The two packages are called stunnel and sslwrap. Of the two, stunnel is a better choice for new installations, as it is actively maintained. It also supports SMTP STARTTLS as a special case, which is a nice bonus. You can download the file from www.stunnel.org/download/ source.html; as of this writing, the current release is 3.22. Please note that it requires an installed OpenSSL library to compile; however, you should have already downloaded the OpenSSL and OpenSSH RPM archives from suse.com. (If you have not downloaded these, you really have not been paying attention to the previous arti- cles in the series, and you should download and install those packages immediately.) connections; that is, you can tunnel any protocol over SSL without Unpack the file into an appropriate directory and change to that changing the protocol’s definition. directory. I use /usr/local/src, and I downloaded the file into root’s This has a huge advantage, as non-SSL-aware applications do not home directory, so the command looks similar to what appears in need to be made SSL-aware, as long as an SSL stage can be placed Figure 2. Next, perform the familiar compilation and installation in front of them. ritual using the commands shown in Figure 3. This presumes that Some protocols provide built-in support for other authentication /usr/local is a reasonable place for the stunnel stuff to reside on mechanisms. For this reason, it can be difficult to use SSL to your system; if not, you can use /configure -prefix=wherever-you- tunnel them. For instance, SMTP supports STARTTLS extensions, want-stunnel-to-go. which allow it to choose whether or not to use SSL encryption in Note that one of the stunnel steps actually creates an x.509 cer- its communication. If you were to attempt to simply put an SSL tificate for the service (see Part I, Technical Support, January tunnel wrapper around SMTP, you would either have to pick a 2002 for more about x.509 certificates). You will be asked ques- non-standard port to do it on, or put a wrapper around port 25. In tions about your site. It is important for you to correctly answer the the former case, unless you set up the mail transport system your- Fully-Qualified Domain Name of your host (FQDN). This is just self, it would not know how to talk to you (thus, precluding anyone what it sounds like: Assuming that your server is correctly config- else’s mail system from sending you mail), and in the latter, no ured, you should enter the output of the “hostname -f” command. unencrypted mail could use your SMTP service. If your site already has a certificate signed by a recognized SSL-wrapping works best when there are defined, distinct ports Certificate Authority (CA), you will want to use that certificate to for the cleartext and encrypted protocols. Therefore, POP and sign stunnel’s certificate. Otherwise, your users will get warning IMAP are good choices: POP3 listens on port 110 and IMAP on messages that the certificate they are using does not have a chain 143, but POP3S and IMAPS, the secure versions, listen on ports of trust terminating in a known CA. What this means is that no rec- 995 and 993, respectively. ognized CA has signed your encryption certificate; therefore, anyone trusting your service is doing so purely on your affirmation INSTALLING AN SSL PROXY that it is what it purports to be. The theory behind CAs is that they will exercise due diligence so that you can be reasonably confident You will need to define a listener to a particular port that provides that a key signed by a recognized CA belongs to the organization the SSL encryption and decryption functions, and then internally that claims to own it. forwards the decrypted stream to the cleartext service. Since the cleartext stream never leaves the machine, it is much safer from SYSTEM CONFIGURATION prying eyes than a simple cleartext service would be. Therefore, your SSL wrapper has to function as a proxy server, whose only job Now you must make a decision about the configuration. It is pos- is to remove encryption on incoming streams and add it on outgo- sible to start stunnel from inetd, but this is not recommended, as ing streams. See Figure 1. you will have to initialize SSL with every connection, and there is

©2002 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. TECHNICAL SUPPORT • MARCH 2002 no saved session state. Thus, it is generally FIGURE 4: COMMANDS LINES TO START STUNNEL IN DAEMON MODE better to start stunnel as a daemon on its own. You will want to do this at boot time stunnel -N imaps -d imaps 993 -l /usr/sbin/imapd imapd stunnel -N pop3s -d pop3s -l /usr/sbin/popper — popper -s by adding the lines in Figure 4 to /etc/rc.d/boot.local. These two lines start FIGURE 5: /ETC/INETD.CONF ENTRIES FOR POP AND IMAP stunnel in daemon mode and connect the local endpoint to the appropriate daemon. pop3 stream tcp nowait root /usr/sbin/tcpd /u sr/sbin/popper -s The -N option allows you to explicitly specify imap stream tcp nowait root /usr/sbin/tcpd imapd a service name, and you can use that feature to differentiate between the cleartext proto- FIGURE 6: ENTRIES IN /ETC/HOSTS.ALLOW TO RESTRICT ACCESS cols and the encrypted protocols in TO UNENCRYPTED POP AND IMAP TO LOCAL NETWORK /etc/hosts.allow. For the -d option to work with service names, rather than port num- ALL: [email protected]/255.0.0.0 popper : [email protected]/255.255.0.0 bers, IMAPS and POP3S must be present in imapd: [email protected]/255.255.0.0 /etc/services, which they are under SuSE pop3s: ALL@ALL 7.0 GA. Because you are running the ser- imaps: ALL@ALL vices directly from stunnel, there is no need FIGURE 7: COMMANDS TO TUNNEL SECURE IMAP AND for a POP or IMAP entry in /etc/inetd.conf. POP LOCAL UNENCRYPTED IMAP AND POP PORTS If you do not want to run the cleartext version of the services, you certainly do not stunnel -N imaps -d imaps -r localhost:imap need entries in inetd.conf. stunnel -N pop3s -d pop3s -r localhost:pop3 A slightly more sophisticated way to start stunnel at boot would be to integrate FIGURE 8: COMMANDS TO TUNNEL SECURE IMAP AND POP REMOTE UNENCRYPTED IMAP AND POP PORTS stunnel into your system runlevel scripts. Under SuSE, the basic outline of the task stunnel -N imaps -d imaps -r vm:imap would be similar to the following: copy stunnel -N pop3s -d pop3s -r vm:pop3 /etc/rc.d/skeleton to /etc/rc.d/stunnel. Then modify /etc/rc.d/stunnel to start the appro- The next two lines in Figure 7 allow any- the Linux host is a separate machine, it is priate daemons listening to ports. Link one from the local network to connect to more reasonable to trust the safety of a net- /etc/rc.d/stunnel into the rc2.d and rc3.d your POP and IMAP daemons. With this work that lives entirely inside your machine subirectories, with names (like S20stunnel setup, you could also let stunnel make a room than the public Internet. and K17stunnel) indicating the order in which connection to the running servers. This is stunnel would be started or stopped relative to slightly easier, but does require the over- OTHER STUNNEL FEATURES other services. Finally, edit /etc/rc.config head of going through the inetd process. It and add a START_STUNNEL=”yes” entry at is not a good idea to have your unencrypted You can configure stunnel to only work if the end. servers on the same machine. However, the a recognized and correct client certificate is Let’s make the configuration more name of the flag, “-r,” and the form of its presented. This provides strong authentica- complex. If you want to allow users on argument might have suggested to you that tion if you want to limit who is allowed to your local network to connect to cleartext this does not have to tunnel SSL services to use your services. A full discussion of client- POP and IMAP daemons, but prevent localhost. These lines would be added to side certificate configuration is far beyond others from accessing the network, then your startup script, /etc/rc.d/stunnel, to exe- the scope of this article, but introductory doc- you would want to add the lines in Figure cute at boot time. umentation can be found at www.stunnel.org/ 5 in /etc/inetd.conf and an entry allowing Let’s change your configuration again. examples/client_cert.html. This will require only local network usage of those ser- Pretend that your POP and IMAP servers you to experiment with the source code. vices in /etc/hosts.allow. If your local live under VM, and that is where you want The examples featured here will make the network is 192.168.0.0/16, you will need to keep them. VM is available on your net- connections appear to the application as if /etc/hosts/allow to contain the lines work at the host name “vm”. Then, you they came from the host on which stunnel is shown in Figure 6. would change your startup scripts to include running. This is not always the desired The first line says, “Anything coming the lines in Figure 8, so they would execute result. Under Linux, at least, stunnel can run from the local host is OK.” Interestingly, the when the system booted. in a true transparent-proxy mode (with the entire 127.0.0.0/8 Class A network is Now it is imperative that you keep all correct kernel modules enabled) so that it defined to be local although almost all traffic secure between the Linux host that is passes the originating host’s IP address to implementations use the single address running stunnel and the VM host. If the the application. 127.0.0.1. Not allowing a machine to talk to Linux host is a guest of VM, this is remark- You can run stunnel in place of ssh as the itself on arbitrary ports tends to lead to ser- ably easy: a point-to-point TCP/IP connection encryption transport for the “poor man’s vices failing in non-obvious ways, which is over IUCV or vCTC works well, or — with VPN.” Of course, since FreeSWAN provides why I always leave local ports open, even z/VM 4.2 — a HiperSockets guest LAN on an actual Open Source IPSec implementation, though it is a slight security exposure. which these are the only two hosts. Even if this may no longer be as useful as it once was.

TECHNICAL SUPPORT • MARCH 2002 ©2002 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. All these examples and more can be found mutt under Unix or Linux, you simply application providing that service. Next at http://www.stunnel.org/examples/; one append “/ssl” to the name of the IMAP serv- month, in the concluding article in this particularly interesting example from the er to check (for instance {imap.foo.exam- series, I will change focus a little and look Enterprise perspective shows how to SSL- ple/ssl}INBOX). Other mail programs have at the Pluggable Authentication Modules wrap Kermit and telnet. It would not take a different conventions, but most clients sup- (PAM) system. PAM gives the system great deal of modification to make this work port SSL-wrapping on at least POP3, and administrator a very flexible and powerful with an SSL-enabled TN3270 client; at that often IMAP, services. set of tools to determine what authentication point, you would get the benefits of a secured Users will find the message that the cer- is required for which services at a site, and VM logon session. Put a small dedicated tificate is untrusted alarming. However, it is enables consolidation of hitherto-separate Linux machine in front of a 2074, and you also correct. If the cost of user education is authentication domains. would have a secure, network-accessible higher than the cost of getting a certificate console for the cost of the Intel hardware and signed by a recognized CA, then you a couple hours of configuration time. should get a site certificate signed by a CA Adam Thornton was first exposed to the that gives you the authority to sign locally S/390 as David Boyes’ junior systems pro- USING CLIENTS WITH created certificates. grammer at Rice University in the early SSL SERVICES 1990s. Since then, he has spent nearly a CONCLUSION decade in the penguin’s clutches, having used The method of specifying that a client Linux since version 0.09. Subsequent to graduate should use an SSL-wrapped service differs With the aid of a little Linux wizardry, I studies at Princeton, he volunteered as system from client to client. Outlook, for example, have demonstrated how to convert a useful administrator for penguinvm.princeton.edu, keeps the information in the “Advanced” tab but insecure service to an equally useful, but Princeton University’s Linux/390 virtual of an Internet Mail setting. For example, on far more secure service. By simply inserting machine. He is a founder and principal engineer the “Incoming Mail” setting, you specify a transparent SSL proxy into the data stream of Sine Nomine Associates. Adam can be con- port 995 and check the checkbox so that it of the connection, you can encrypt a service tacted via email at [email protected]. requires the SSL layer. However, if you use without requiring any modification to the