VMS port of cntlm

VMSport

A fork is used to eat soup on VMS. In the provided termio.h it has been defined to point to a dummy function that always returns zero. To make sure the child branch of the pre is properly executed, the asdaemon variable in main.c has been set to 0 if compiled on VMS. termio and syslog are also not available on VMS, and a workaround has been created. termio is largely ignored, and syslog has been rudimentarily implemented, so that output is written to CNTLMHOME:CNTLM_nodename.LOG Optionally is sent as an OPCOM message.

Files

Three executables are produced, CNTLM.EXE, CNTLM_STOP.EXE START_DETACHED.EXE. CNTLM.EXE is the the actual proxy, START_DETACHED.EXE is an executable that enables a user with CMKRNL, SYSPRV and IMPERSONATE privileges to start up a detached process under another account. CNTLM_STOP.EXE send a SIGHUP signal to a running cntlm process. This does not work across cluster nodes. CNTLM_STOP.C and START_DETACHED.C contain the sources of the last two executables.

Five command procedures are provided, CNTLM_INSTALL.COM, CNTLM_STARTUP.COM, CNTLM_SHUTDOWN.COM, MAKEVMS.COM and CNTLM_MAKEKIT.COM.

Six header files are provided, most importantly CONFIG.H, which contains some build options and missing defines and typedefs. STDINT.H includes INTTYPES.H. SYSLOG.H is a copy of a Linux syslog.h, and includes the function prototypes for openlog, syslog and closelog, all implemented in IMITATE_SYSLOG.C. TERMIOS.H defines fork to nonsense, implements a rudimentary termios structure and fnmatch to a wrapper function around decc$match_wild in IMITATE_SYSLOG.C SELECT.H and FNMATCH.H are empty.

IMITATE_SYSLOG.C contains the stub pre for fork, fnmatch, syslog and opcom functions.

CNTLM.HLP and VMSPORT.HLP contain the CNTLM and these VMS port notes in HELP format. They can be added to a help library by

  $ append vmsport.hlp cntlm.hlp ! ignore warning
  $ library/insert/help libraryname.HLB cntlm.hlp ! if creating a new library, replace insert

by create. Converting manpages can be done by the quick and dirty man2help tool, available on http://peut.org/man2help/

Differences to original sources

In file socket.c, the test which errno values are actually correct has been extended to include EWOULDBLOCK:

  For VMS:
  238           return (i == 0 || (i == -1 && errno != EWOULDBLOCK && errno != EAGAIN && errno != ENOENT));   
  Original:
  238           return (i == 0 || (i == -1 && errno != EAGAIN && errno != ENOENT));

In file ntlm.c %ld has been changed to %Ld to correctly print a 64 bit long int:

  For VMS:
   82                   printf("NTLMv2:\n\t    Nonce: %s\n\tTimestamp: %Ld\n", tmp, tw);
  Original:
   82                   printf("NTLMv2:\n\t    Nonce: %s\n\tTimestamp: %ld\n", tmp, tw);

In file main.c several changes have been made. Parsing nonproxy didn't work. Apparently mainly caused by omitting braces.

  For VMS:
  296
  297                   if (list->aux && strlen(list->aux) && fnmatch(list->aux, (char *)addr, 0) == 0) {
  298                           if (debug)printf("MATCH: %s (%s)\n", addr, (char *)list->aux);
  299                           return 1;
  300                   } else {
  301                           if (debug) printf("   NO: %s (%s)\n", addr, (char *)list->aux);
  302                   }
  303
  Original:
  295                   if (list->aux && strlen(list->aux)
  296                                   && fnmatch(list->aux, addr, 0) == 0) {
  297                           if (debug)
  298                                   printf("MATCH: %s (%s)\n", addr, (char *)list->aux);
  299                           return 1;
  300                   } else if (debug)
  301                           printf("   NO: %s (%s)\n", addr, (char *)list->aux);
  302

The asdaemon variable has as default 0 for VMS has been disabled:

  716   #ifdef __VMS
  717           asdaemon = 0;
  718   #endif

Building

@MAKEVMS in the subdirectory [.vms] should build all executables.

Installing

@CNTLM_INSTALL.COM creates user CNTLM_PROXY, ask where to create the cntlm directory, creates it, copies CNTLM_RUN.COM, the two executables and the template configuration file CNTLM.CONF to this directory and applies acl's and protections to these files. It advises to define system logical CNTLMHOME in SYSTARTUP_VMS.COM to point to this directory, without his logical cntlm will not run.

CNTLM_STARTUP.COM and CNTLM_SHUTDOWN.COM are copied to SYS$COMMON:[SYSMGR]

Installing on Alpha can be done with the product tool. The kit is built by CNTLM_MAKEKIT.COM.

Configuration

In CNTLMHOME:cntlm.conf needs to be edited to contain at least the address of the NTLM proxy to use, the username/password or the proper NTLM hash. Consult the CNTLM docs on how to obtain this hash. Be careful, though. Using the -M option caused my proxy to lock my useraccount.

CNTLM can safest be set up to just listen on localhost, so it cannot function as gateway for other hosts. See the Gateway description.

Local hosts, or hosts on your Intranet should not be proxied to the NTLM proxy. Use the NoProxy option in cntlm.conf.

In CNTLMHOME:CNTLM_RUN.COM symbol CNTLM_OPCOM can be set to a comma separated list of classes to send these messages to. Like

 
  cntlm_opcom = "OPER2,NETWORK,SECURITY"

If the symbol nor a logical exist, or CNTLM_OPCOM is empty or does not contain valid OPCOM classes, no OPCOM messages are sent.

Also, the cntlm command can be provided with extra switches, if needed. Consult the CNTLM docs or cntlm -h for options.

Note that CNTLM_RUN.COM is defined as the LGICMD for the CNTLM_PROXY user. As the restricted flag is set up and the user has external access disabled, no privileges and no write access to it's configuration, it should not open up too big a hole in system security.

N.B. No attempt has been made to define quota for user CNTLM_PROXY. Normal default quota should suffice, but this depends on your system and your load. More is usually better.

Running

CNTLM can be started by @sys$startup:cntlm_startup. A detached process called cntlm_NODENAME is created. Output is written to CNTLMHOME:CNTLM_nodename.log.

The proxy can be stopped by @sys$startup:cntlm_shutdown.com.

Testing

Curl can be used to test the proxy. Curl interprets various environment variables, one of which is ALL_PROXY.

  $ ALL_PROXY = "localhost:3128"
  $ curl http://sourceforge.net/apps/mediawiki/cntlm/index.php?title=Main_Page

Should show you the main page of the cntlm project.

N.B. The proxy does not work for any other protocol than HTTP(S) to hosts defined as noproxy. This feature is not implemented in CNTLM.

If it doesn't work, you have probably done something wrong. Stop worrying and check the log- and the configuration file. Then start thinking again.

Ported_by

Jose Baars, August 2012

Thanks to Jim Duff and Philippe Vouters for putting online their VMS source examples. Thanks to John Wallace's remark on c.o.v. for inspiring this port.