Hi Yutaka, Thanks for your kind and detailed explanation of the credhy/enc/imp concepts. I tried the first 2 methods with 9.8.1 and 9.7.7-fix1, but it does not work for me on xp sp2. 0. Unencrypted: * edited dg.cnf to contain: MYAUTH=**USERDOMAIN**\\**USERNAME**:**PASSWORD**:http-proxy * excecuted: "d:\app\delegate\dg.exe" -P**PORT** -r -vt -- SERVER=http PROXY="**PARENT_PROXY**:**PARENT_PROXY_PORT**" DGROOT="d:\tmp\.dg" ADMIN="**USERNAME**" CACHE=no RES_WAIT=0 PERMIT=*:*:-/22 +=d:\tmp\.dg\dg.cnf => everything worked OK 1. Credhy: * generated random config password: 1a1dd8f59d8d585ca91bffd8f9db50b7 * encrypted config file: "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fcredhy 1a1dd8f59d8d585ca91bffd8f9db50b7 < dg.cnf > dg.cdh KEY = 62201621622B273AB65F44C8597779D45461D4267A8E119BA7576FA82102728ACDFC CRC32 = 0xB1004B5D 2969586525 * stored config password in dgauth: "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fauth -a config:1a1dd8f59d8d585ca91bffd8f9db50b7 -dgauth@admin **** Specify the key of encryption for 'dgauth' **** CRYPT=pass:temppwd +OK added the auth. PATH: d:\tmp\.dg/adm/authorizer/-dgauth@admin/e42d0b5c151e782b46c5374afb07528f AUTH: dgauth://config@-dgauth@admin:8787 PASS: a900f83595ab4c61e25be86188fe355f 0B0A6EC74A42BFF7FDAD3304C5BD0DFF205F6D8F61425A1DF90D109ADE77958867768790 44D11B862EEB61FA7E5749EXPIRE: 1B * started delegate: * "d:\app\delegate\dg.exe" -P**PORT** -r -vt -- SERVER=http PROXY="**PARENT_PROXY**:**PARENT_PROXY_PORT**" DGROOT="d:\tmp\.dg" ADMIN="**USERNAME**" CACHE=no RES_WAIT=0 PERMIT=*:*:-/22 +=d:\tmp\.dg\dg.cdh **** Specify the key of encryption for 'dgauth' **** CRYPT=pass:temppwd "d:\tmp\.dg/act/pid/**PORT**": kill(2572,SIGTERM) = -1 (0) ** ERROR ** Config: WindowsNT; FileSize-Bits=64/64,32/32,32; sockbuf=0000/0000X; sockpair=8192/64512,2016++; thread=Winthread; stty=none; fmem=953/0/2047M; MSC=1400 DeleGate/9.7.7-fix1 (November 14, 2007) => browser connection to proxy timed out: 05/05 13:55:47.36 [2104] 0+0: ... gethostname(**HOSTNAME**) 05/05 13:55:47.36 [2104] 0+0: configuring default RESOLV ... 05/05 13:55:47.36 [2104] 0+0: ... gethostname()='**HOSTNAME**' 05/05 13:55:47.36 [2104] 0+0: ... SYS: **HOSTNAME** -> **MY_IP** 05/05 13:55:47.42 [2104] 0+0: ... DNS: **MY_IP** -> **HOSTNAME**.**MY_DOMAIN** 05/05 13:55:47.42 [2104] 0+0: ... DNS available 05/05 13:55:47.42 [2104] 0+0: ... NIS not available (no default domain) 05/05 13:55:47.42 [2104] 0+0: ... export RES_ORDER=CFD 05/05 13:55:47.42 [2104] 0+0: export RESOLV=cache,file,dns (set by default) SRCSIGN=9.7.7-fix1:20071114171500+0900:2e734f2b9afeeb83:Author@DeleGate.. ORG:InIqseLisMa5s/g8g4TxnCZqRxPujG6ho6PMayMdxITXCowDzJC6CqkGe2DJSCCpaaMZ wzVIPinIp0Y/9UMecCDEtCNaMe6Jrx6ZvT8KwUdLhaj5OJxu9kyuaiT4em/iPlfQPmVrpvRU yT26/4uYWkbp+6i+onxQ8zk9yb0jpAE= BLDSIGN=9.7.7-fix1:20071114171724+0900:2e734f2b9afeeb83::- 05/05 13:55:47.43 [2104] 0+0: --INITIALIZATION START-08050513+0100: 9.7.7-fix1 on WindowsNT-- 05/05 13:55:47.43 [2104] 0+0: EXECDIR=d:\app\delegate 05/05 13:55:47.43 [2104] 0+0: BINSHELL=/bin/sh 05/05 13:55:47.43 [2104] 0+0: MAXIMA=delegated:64 for small mem=945M (WIN) 55:47.434 [2104] #### send_file (2104,1)[1876,7] -> 2104[1864,0] (0,Err=87) (WIN) 55:47.434 [2104] #### file to be sent fd=1 -> 0 8380000 137887744 05/05 13:55:47.51 [2104] 0+0: #### KEY CRYPT=master DUMPED 4B0D8D8C TO d:\tmp\.dg/adm/authorizer/31b73f7af387eceac89f05ba7df52d25/save/-dgauth 05/05 13:55:47.51 [2104] 0+0: #### start a service... 05/05 13:55:47.53 [2104] 0+0: server_open(delegate,:**PORT**,listen=20) 05/05 13:55:47.53 [2104] 0+0: server_open(delegate,:**PORT**) BOUND 05/05 13:55:52.65 [3512] 0+0: ## RES_ORDER=CFD 05/05 13:55:52.67 [3512] 0+0: ... gethostname(**HOSTNAME**) SRCSIGN=9.7.7-fix1:20071114171500+0900:2e734f2b9afeeb83:Author@DeleGate.. ORG:InIqseLisMa5s/g8g4TxnCZqRxPujG6ho6PMayMdxITXCowDzJC6CqkGe2DJSCCpaaMZ wzVIPinIp0Y/9UMecCDEtCNaMe6Jrx6ZvT8KwUdLhaj5OJxu9kyuaiT4em/iPlfQPmVrpvRU yT26/4uYWkbp+6i+onxQ8zk9yb0jpAE= BLDSIGN=9.7.7-fix1:20071114171724+0900:2e734f2b9afeeb83::- 05/05 13:55:52.68 [3512] 0+0: --INITIALIZATION START-08050513+0100: 9.7.7-fix1 on WindowsNT-- 05/05 13:55:52.68 [3512] 0+0: EXECDIR=d:\app\delegate 05/05 13:55:52.68 [3512] 0+0: BINSHELL=/bin/sh 05/05 13:55:52.68 [3512] 0+0: MAXIMA=delegated:64 for small mem=946M 05/05 13:55:52.70 [3512] 0+0: server_open(delegate,:**PORT**,listen=20) 05/05 13:55:52.75 [3512] 0+0: server_open(delegate,:**PORT**) BOUND 05/05 13:55:52.75 [3512] 0+0: DGROOT=d:\tmp\.dg^M 05/05 13:55:52.75 [3512] 0+0: <DeleGate/9.7.7-fix1> [3512] -P**PORT** READY^M 05/05 13:55:52.75 [3512] 0+0: PORT= **PORT**/10 (38,148) 05/05 13:55:52.75 [3512] 0+0: OWNER=nobody => OWNER=?/?(?/?) 05/05 13:55:52.76 [3512] 0+0: REMITTABLE = http,https/{80,443},gopher,ftp,wais 05/05 13:55:52.78 [3512] 0+0: --- [dgzlib1] 0 dglibdgzlib1.dll 05/05 13:55:52.78 [3512] 0+0: --- [d:\app\delegate\dgzlib1.dll] 05/05 13:55:52.78 [3512] 0+0: --- [dgzlib1] 10000000 d:\app\delegate\dgzlib1.dll 05/05 13:55:52.78 [3512] 0+0: ---- [dgzlib1] loaded 15 syms, unknown=0+0, already=0 05/05 13:55:52.78 [3512] 0+0: +++ loaded Zlib 1.2.3.f-DeleGate-v2 05/05 13:55:52.78 [3512] 0+0: #### gzip/gunzip = dynamically linked 05/05 13:55:52.78 [3512] 0+0: ADMIN=**USERNAME** protocol=http(specialist) 05/05 13:55:52.78 [3512] 0+0: WORKDIR=d:\tmp\.dg/work/**PORT** 05/05 13:55:52.79 [3512] 0+0: MOUNT[0]X[2] /-/builtin/icons/* = default 05/05 13:55:52.79 [3512] 0+0: MOUNT[1]X[3] /-/* = forbidden,from=!.RELIABLE,default 05/05 13:55:52.79 [3512] 0+0: MOUNT[2]X[0] /-* = default 05/05 13:55:52.79 [3512] 0+0: MOUNT[3]X[1] /=* = default 05/05 13:55:52.79 [3512] 0+0: MOUNT[4]=[4] /favicon.ico builtin:icons/ysato/default.ico default,direction=fo,onerror=404,expires=15m 05/05 13:55:52.79 [3512] 0+0: #### stack size limit = FFFFFFFF (-1) 05/05 13:55:52.79 [3512] 0+0: Stay open PIDFILE for accept() lock[fd=14] 05/05 13:55:52.79 [3512] 0+0: StickyReport[15,16]127.0.0.1:1823><127.0.0.1:1824 8192/64512 8192/65536 05/05 13:55:52.79 [3512] 0+0: env[49] LIBPATH=.;C:\WINDOWS\system32;d:\tmp\.dg/lib;d:\app\delegate;d:\tmp\.dg/ etc 05/05 13:55:52.79 [3512] 0+0: arg[1] LIBPATH=.;D:\Tmp\.dg;d:\tmp\.dg/lib;d:\app\delegate;d:\tmp\.dg/etc 05/05 13:55:52.79 [3512] 0+0: arg[2] RESOLV=cache,file,dns 05/05 13:55:52.79 [3512] 0+0: arg[3] SERVER=http 05/05 13:55:52.79 [3512] 0+0: arg[4] PROXY=**PARENT_PROXY**:**PARENT_PROXY_PORT** 05/05 13:55:52.79 [3512] 0+0: arg[5] DGROOT=d:\tmp\.dg 05/05 13:55:52.79 [3512] 0+0: arg[6] ADMIN=**USERNAME** 05/05 13:55:52.79 [3512] 0+0: arg[7] CACHE=no 05/05 13:55:52.79 [3512] 0+0: arg[8] RES_WAIT=0 05/05 13:55:52.79 [3512] 0+0: arg[9] PERMIT=*:*:-/22 05/05 13:55:52.82 [3512] 0+0: Encrypted with the CRYPT MasterKey: 350->351 ${ETCDIR}/params/${PORT}.cdh 05/05 13:55:52.82 [3512] 0+0: DELEGATE_Modified[1]: 481ef5c8 1209988552 05/05 13:55:52.82 [3512] 0+0: --INITIALIZATION DONE-08050513+0100: 9.7.7-fix1 on WindowsNT-- (WIN) 55:58.184 [3512] spawn() = 380 [2584], children(alive=1/1) 0.047s 05/05 13:55:58.18 [3512] 1+0: spawn() = 380 [2584], children(alive=1/1) 0.047s 05/05 13:56:28.48 [3580] 0+0: PORT> -P**PORT** 05/05 13:56:28.48 [3580] 0+0: Kill(3512,15) (WIN) 56:28.481 [3580] kill(3512,15) = -1, failed GetExitCodeProcess() 05/05 13:56:28.48 [3580] 0+0: Kill(3512,15)=-1, errno=0 (WIN) 56:28.496 [3580] [672] svc DO_FINALIZE 0 0 (WIN) 56:28.668 [3512] [2276] svc Terminate... 05/05 13:56:28.67 [3512] 1+0: TERMINATE... 05/05 13:56:28.68 [3512] 1+0: #### KEY CRYPT=master DUMPED 4B0D8D8C TO d:\tmp\.dg/adm/authorizer/31b73f7af387eceac89f05ba7df52d25/save/-dgauth 05/05 13:56:28.68 [3512] 1+0: Kill(380,15) 05/05 13:56:28.68 [3512] 1+0: StickyKill(15): 1/1 killed 05/05 13:56:28.68 [3512] 1+0: unlinked d:\tmp\.dg/work/**PORT**/3512 05/05 13:56:28.68 [3512] 1+0: removed d:\tmp\.dg/work/**PORT**/ (WIN) 56:28.684 [3512] wait3(N) = 380 [2584] 0, children(alive=0/1) 0.00s 05/05 13:56:28.68 [3512] 1+0: wait3(N) = 380 [2584] 0, children(alive=0/1) 0.00s 05/05 13:56:28.70 [3512] 1+0: TERMINATED. 05/05 13:56:28.70 [3512] 1+0: AcceptByMain: break on TERMINATE. 05/05 13:56:28.70 [3512] 1+0: main loop break on TERMINATE. 05/05 13:56:28.70 [3512] 1+0: _main() done 05/05 13:56:28.70 [3512] 1+0: SetStatus: STOPPED (WIN) 56:28.700 [3512] [1980] svc SetStatus: STOPPED 05/05 13:56:28.70 [3512] 1+0: SetStatus: STOP (WIN) 56:28.700 [3512] [2276] svc SetStatus: STOP (WIN) 56:28.700 [3512] [1980] svc ExitThread() from ServiceStart() (WIN) 56:28.700 [3512] [2276] svc start_service() done (1,1,0) (WIN) 56:28.700 [3512] [2276] svc DO_INITIALIZE -> DO_FINALIZE (WIN) 56:28.700 [3512] [2276] svc DO_FINALIZE 0 0 * With 9.8.1 I also noticed that the browser request made delegate spawn another dg.exe process, that was not later killed with -Fkill. With 9.7.7-fix1 I cannot reproduce it anymore. 2. Enc: * encrypted config file: "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fenc -ktemppwd < dg.cnf > dg.enc * started delegate: "d:\app\delegate\dg.exe" -P**PORT** -r -vt -- SERVER=http PROXY="**PARENT_PROXY**:**PARENT_PROXY_PORT**" DGROOT="d:\tmp\.dg" ADMIN="**USERNAME**" CACHE=no RES_WAIT=0 PERMIT=*:*:-/22 +=d:\tmp\.dg\dg.enc **** PASSWD=ext:::temppwd Config: WindowsNT; FileSize-Bits=64/64,32/32,32; sockbuf=0000/0000X; sockpair=8192/64512,2016++; thread=Winthread; stty=none; fmem=954/0/2047M; MSC=1400 DeleGate/9.7.7-fix1 (November 14, 2007) => browser immeadiatelly reported that it cannot connect to proxy: 05/05 14:05:53.06 [2692] 0+0: ... gethostname(**HOSTNAME**) 05/05 14:05:53.06 [2692] 0+0: configuring default RESOLV ... 05/05 14:05:53.06 [2692] 0+0: ... gethostname()='**HOSTNAME**' 05/05 14:05:53.06 [2692] 0+0: ... SYS: **HOSTNAME** -> **MY_IP** 05/05 14:05:53.13 [2692] 0+0: ... DNS: **MY_IP** -> **HOSTNAME**.**MY_DOMAIN** 05/05 14:05:53.13 [2692] 0+0: ... DNS available 05/05 14:05:53.13 [2692] 0+0: ... NIS not available (no default domain) 05/05 14:05:53.13 [2692] 0+0: ... export RES_ORDER=CFD 05/05 14:05:53.13 [2692] 0+0: export RESOLV=cache,file,dns (set by default) SRCSIGN=9.7.7-fix1:20071114171500+0900:2e734f2b9afeeb83:Author@DeleGate.. ORG:InIqseLisMa5s/g8g4TxnCZqRxPujG6ho6PMayMdxITXCowDzJC6CqkGe2DJSCCpaaMZ wzVIPinIp0Y/9UMecCDEtCNaMe6Jrx6ZvT8KwUdLhaj5OJxu9kyuaiT4em/iPlfQPmVrpvRU yT26/4uYWkbp+6i+onxQ8zk9yb0jpAE= BLDSIGN=9.7.7-fix1:20071114171724+0900:2e734f2b9afeeb83::- 05/05 14:05:53.13 [2692] 0+0: --INITIALIZATION START-08050514+0100: 9.7.7-fix1 on WindowsNT-- 05/05 14:05:53.13 [2692] 0+0: EXECDIR=d:\app\delegate 05/05 14:05:53.13 [2692] 0+0: BINSHELL=/bin/sh 05/05 14:05:53.13 [2692] 0+0: MAXIMA=delegated:64 for small mem=955M (WIN) 05:53.141 [2692] #### send_file (2692,1)[1880,7] -> 2692[1896,0] (0,Err=87) (WIN) 05:53.141 [2692] #### file to be sent fd=1 -> 0 A840000 176422912 05/05 14:05:53.22 [2692] 0+0: CRC ERROR 0 FFFFFFB0 05/05 14:05:53.22 [2692] 0+0: #### KEY PASSWD=ext DUMPED 61E46143 TO /var/tmp/authorizer/6ca8a167c094fa1d8952965a912a2c63/save/-dgauth 05/05 14:05:53.22 [2692] 0+0: #### start a service... 05/05 14:05:53.23 [2692] 0+0: server_open(delegate,:**PORT**,listen=20) 05/05 14:05:53.23 [2692] 0+0: server_open(delegate,:**PORT**) BOUND Could you kindly look at it, if you see where I'm making anything wrong? Thanks, Jan -----Original Message----- From: Yutaka Sato [mailto:pficabdyi-mykgh42yj6tw.ml@delegate.org] Sent: Thursday, April 24, 2008 10:34 AM To: pficabdyi-mykgh42yj6tw.ml@delegate.org Cc: Killian, Jan Subject: parameter encryption with -Fenc (Re: Delegate - encrypted .cdh config on win xp) Jan, In message <_A3961@delegate-en.ML_> on 04/24/08(16:23:34) I wrote: | |Then I encrypt the config: | |> "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fcredhy testpwd < dg.conf > dg.cdh ... | |**** Specify the key of encryption for 'dgauth' | |**** CRYPT=pass:testpwd | |Here you need to specify the "MasterKey" for the repository of passwords |into which your "testpwd", the passphrase for encryption of configuration |parameters, is stored. And your passphrase needs to has been stored into |the repository as follows, encrypted with a specified MasterKey: | | > dg.exe DGROOT=d:/tmp/.dg -Fauth -a config:testpwd -dgauth@admin | **** Specify the key of encryption for 'dgauth' | **** CRYPT=pass:MasterKey | |See <URL:http://www.delegate.org/delegate/Manual.htm?EncryptedConf> for |more details. I should have said that the encryption of configuration parameters by "-Fcredhy" (introduced at DeleGate/9.0.1 ) was a very tentative one without ability of verification of integirity of the decripted data (with CRC or MD5 or so). Thus it generates broken data if a given key for decryption is not equal to the one at the encryption, as shown in your case. I added another way of encryption at DeleGate/9.4.0 by "-Fenc" which is simpler (without password repository) and safer (with integirty check). You can use it as follows: a) to see the usage > d.exe -Fenc Usage: -Fenc [-kKey] [infile] [-o outfile] [-a arg1 arg2 ...] b) generate an encrypted parameter > dg.exe -Fenc -ktestpwd -a MYAUTH=user:pass ADMIN=foo@bar +=enc:ext::1bt.fMObaW4Mc0Y34Bp5tEPLoMY6pkvjB4RYCymttSPWd5vp6ghqieamCg==: (this "+=enc:ext::...:" is an encrypted representation of "MYAUTH=user:pass ADMIN=foo@bar" with the encryption key "testpwd") c) use the encrypted parameter > dg.exe -v -P9999 +=enc:ext::1bt.fMObaW4Mc0Y34Bp5tEPLoMY6pkvjB4RYCymttSPWd5vp6ghqieamCg==: SERVER=http ... **** PASSWD=ext:::testpwd A little more tips: 1) encryption > dg.exe -Fenc -ktestpwd < conf > conf.enc 2) decription > dg.exe -Fdec -ktestpwd < conf.enc > conf 3a) substitution (asked the password interactively) > dg.exe +=conf.enc **** PASSWD=ext:::testpwd 3b) substitution giving the password > dg.exe +=conf.enc PASSWD=ext:::testpwd 3c) substitution without an external file for configuration > dg.exe +=enc:ext::1bt. ............. :" Cheers, Yutaka -- 9 9 Yutaka Sato <pfqcabdyi-mykgh42yj6tw.ml@delegate.org> http://delegate.org/y.sato/ ( ~ ) National Institute of Advanced Industrial Science and Technology _< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan Do the more with the less -- B. Fuller
V