+subject: rsh.proxy - rsh proxy server
RSH.PROXY(1) RSH.PROXY(1)
NAME
rsh.proxy - rsh proxy server
SYNOPSIS
rsh.proxy [options] [server]
DESCRIPTION
rsh.proxy is a proxy server for the rsh, rlogin and rexec
protocol. It supports client side server selection,
access control, X and VNC forwarding.
rsh.proxy must be started from a TCP superserver like
inetd(1) or tcpproxy(1). It can't bind to a TCP/IP port
on it's own.
Server Selection
If client-side server selection it turned on the user must
select the server he wants to use with the `@' notation.
Instead of specifying the real rsh server the user con-
nects to the gateway machine where rsh.proxy is running
with the remote user name
remote-user@remote-server
In situations where the `@' doesn't work the percent sign
`%' might be used for that.
Access Control
If an access control program is given with the -a option
on the command line the connection data is passed to the
acp before the server is contacted. The acp should return
0 as exit code to grant access and another value to deny.
The access controller receives the following variables:
PROXY_INTERFACE, PROXY_PORT
interface and port where the client is connected to
the proxy.
PROXY_CLIENT, PROXY_CLIENTNAME, PROXY_CLIENTLOGIN
IP number, name of the connected client and user
login on the client.
PROXY_SERVER, PROXY_SERVERPORT, PROXY_SERVERNAME
IP number, port and name of the rsh server the
client wants to contact.
PROXY_SERVERLOGIN
the supplied username for the rsh server.
PROXY_SERVERCMD
request command.
PROXY_USERNAME, PROXY_PASSWD
supplied username and password for usage of the
proxy server.
The values for PROXY_USERNAME and PROXY_PASSWD are taken
from the supplied remote username and password if they
contain a colon `:'. In this case the local authentica-
tion data is taken from the left side of the colon and the
remaining right side is passed on to the server.
Furthermore the acp's stdout is connected to the rsh
client and it's stderr is read by rsh.proxy which writes
the acp's stderr output to syslog. Notice that to signal
an error (e.g. missing permissions) the first byte that's
send to the client must be the character `0x01'.
Protocol Selection
rsh.proxy does automatic protocol selection depending on
it's server port. If started on port 512 the rexec proto-
col is used, rlogin on port 513 and rsh on any other port.
Notice that the syslog name changes with the protocol.
X Forwarding
When started with the -x option rsh.proxy is able to for-
ward X streams. It analyses the command for the string
`-display' followed by a valid `[<host>]:<display>'. If
such a sequence is found rsh.proxy opens a proxy display,
replaces the display setting in the command line with it's
own and forwards an incoming X stream to the client's dis-
play.
Don't forget to enable the proxy server with xhost on the
client.
VNC Forwarding
rsh.proxy does VNC (RFB protocol) forwarding similiar to X
forwarding. If a VNC starter command is detected
rsh.proxy tries to detect the desired VNC display and sets
up the proxy display. rsh.proxy generatas an additional
output line stating the proxy display and it's port.
Notice two things: First, the rsh server is responsible to
startup the VNC server if it is not already running.
Second, the connection to the VNC server is initiated from
the client and the VNC starter program might terminate
before the VNC connection is done. The termination of the
rsh server program (the VNC starter in this case) would
usually terminate all communication channels, including
the VNC forwarding. Because of this rsh.proxy gives the
client additional 30 seconds (can be changed with the -z
option) to make the connection to the VNC server after the
actual rsh connection has been closed.
OPTIONS
The following options are available:
-a acp specify an access control program that grants or
denies access via rsh.proxy.
-d enter debug mode, the communication between server
and client is written to stderr.
-e enable client-side server selection. With this
option the server argument isn't accepted.
-l logname
specify an explicit program name for syslog mes-
sages instead of the auto-computed.
-n no client name lookup is done, the PROXY_CLIENTNAME
variable contains the IP number just PROXY_CLIENT.
-s list
the server selected by the client must match one of
the pattern from the comma separated list. The
wildcards `*' and `?' can be used.
-t timeout
specify a different timeout in seconds than the
default of 1800 (30 minutes).
-v prefix
set prefix as variable prefix for the variable
passwd to the access control program.
-x | -xx program-list
enable the X forwarding hack. If the -x option is
given twice rsh.proxy expects a comma seperated
list of commands to which X forwarding should be
applied.
-y program-list
enable the VNC forwarding hack. The program-list
is a comma separated list of command where VNC for-
warding should be applied.
-z timeout
wait timeout seconds (default is 30) after the rsh
connection has been closed for the forwarded con-
nection (either X or VNC) to become established.
SEE ALSO
inetd(1), tcpproxy(1).
07 NOVEMBER 1999 RSH.PROXY(1)
