Skip to main content

A security layer for managing access to external/internal applications

Project description

Socket Gatekeeper

Socket Gatekeeper provides a means of password securing and routing arbitrary sockets.

It listens on a socket and waits for a connection. Upon connection, it sends a 1024-bit RSA public key to the client. The client uses this public key to encrypt the password and sends it back over the wire. That password is hashed using SHA-256 and compared against a provided mapping file. This mapping file specifies where that password is to be routed. Example, giving password “abc” may route to some management info on one port, giving a different password “foo” may route to an information service running somewhere else. Giving a password that is not mapped will result in a terminated connection. There is no information to the client describing what is running where, or that this is even a gatekeeper socket (for security).

You can use Socket Gatekeeper for many tasks:

  • Securing protocols that do not have any inherit security

  • Only opening one port on a machine where several administrative services are running. Admins are given their own unique passwords to acccess the services they require

  • Opening a port to the outside world which then routes using secure passwords to any number of internal services

  • Several others!

Mapping File

The routing provided by the daemon is controlled by a mapping file.

This file is in the format:

sha256sum=Addr:Port

Example, for a password “abc” to route to localhost port 6379, use:

ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad = 127.0.0.1:6379

You can derive a sha256 sum with the following script:

echo -n “your_password_here” | sha256sum | awk {‘print $1’}

You may have multiple passwords lead to the same endpoint, but a single password may only lead to one endpoint.

Starting The Server

Use the provided command “socket-gatekeeperd” to start a gatekeeper daemon.

Required Arguments:

You must provide “–mappings=/path/to/file” (or “-m /path/to/file”) to the mapping file. You must also provide “–bind=addr:port” (or “-b addr:port”) example: 127.0.0.1:50001

Other Arguments:

--client-buffer-len=X

This will use X as the number of bytes transmitted/received at one time to/from the client

--endpoint-buffer-len=X

This will use X as the number of bytes transmitted/received at one time to/from the endpoint

Both buffer arguments default to 4096.

—enable-quit This will intercept the messages “quit” and “exit” and cause them to terminate the connection.

Connecting To The Server

Once you have a server up and running, you can connect to it with the provided “socket-gatekeeper-connect” program. You specify the address and port on which to connect, and it handles the RSA portion, prompts for a password which is not echoed to the screen, and then serves as an in-between to you and the endpoint.

Dependencies

Depends on python 2.7 and ArgumentParser (https://pypi-hypernode.com/pypi/argumentparser) as well as PyCrypto (https://pypi-hypernode.com/pypi/pycrypto)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

socket-gatekeeper-1.2.tar.gz (12.4 kB view details)

Uploaded Source

File details

Details for the file socket-gatekeeper-1.2.tar.gz.

File metadata

File hashes

Hashes for socket-gatekeeper-1.2.tar.gz
Algorithm Hash digest
SHA256 3916d4228d053935b429fb97ab5eed28cecd27d5740823b6e5822fda52bc83f7
MD5 fed0f970b862f647845169bc67c9cccd
BLAKE2b-256 f647b06cacdd8aa914b7fc19f06e6564381218d07729479e9da62e6ab84d1328

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page