|
|
| Previous | Table of Contents | Next |
The rlogin proxy provides a service similar to the telnet proxy with the exception of access being provided through the rlogin service rather than telnet. Typically, access to the firewall using rlogin would not be allowed because of the large number of problems that can occur. Consequently, the only access to the firewall host is through telnet.
Regardless, there are requirements that justify the need for an rlogin proxy service. For example, the rlogin service provides rules for additional authentication that allow the connection to be granted without the user logging in like telnet. The process of configuring the rlogin-gw rules is similar to the tn-gw application; they both support the same options. The rules that are available for the rlogin-gw service are listed and explained in table 6.6.
| Option | Description |
|---|---|
| userid user | Specifies a numeric user id or the name of a password file entry. If this value is specified, tn-gw will set its user id before providing service. |
| directory pathname | Specifies a directory to which tn-gw will chroot(2) prior to providing service. |
| prompt string | Specifies a prompt for tn-gw to use while it is in command mode. |
| denial-msg filename | Specifies the name of a file to display to the remote user if he or she is denied permission to use the proxy. If this option is not set, a default message is generated. |
| timeout seconds | Specifies the number of seconds the system remains idle before the proxy disconnects. Default is no timeout. |
| welcome-msg filename | Specifies the name of a file to display as a welcome banner after the system successfully connects. If this option is not set, a default message is generated. |
| help-msg filename | Specifies the name of a file to display if the “help” command is issued. If this option is not set, a list of the internal commands is printed. |
| denydest-msg filename | Specifies the name of a file to display if a user attempts to connect to a remote server from which he or she is restricted. If this option is not set, a default message is generated. |
| authserver hostname [ portnumber [ cipherkey ]] | Specifies the name or address of a system to use for network authentication. If tn-gw is built with a compiled-in value for the server and port, these will be used as defaults but can be overridden if specified on this line. If support exists for DES-encryption of traffic in the server, an optional cipherkey can be provided to secure communication with the server. |
| hosts host-pattern [ host-pattern2…] [ options ] | Specifies host and access permissions. |
To illustrate the use of these rules to configure the rlogin-gw service, examine these sample rules from the netperm-table file:
rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt rlogin-gw: denydest-msg /usr/local/etc/rlogin-dest.txt rlogin-gw: timeout 3600 rlogin-gw: prompt “Enter Command>” rlogin-gw: permit-hosts 204.191.3.* -dest *.fonorola.net -dest !* -passok -xok rlogin-gw: deny-hosts * -dest 204.191.3.150
Note: If any of the files identified in the denial-msg, welcome-msg, help-msg, or denydest-msg clauses are missing, the connection will be dropped as soon as a request is made for that file.
These rules are virtually identical to the rules used to configure the tn-gw. One exception is that the rlogin-gw is configured to display a different message when a connection request is made for a restricted host. The following output shows the different message for rlogin:
pc# rlogin pc
Welcome to the URG Firewall Rlogin Proxy
Supported commands are
c[onnect] hostname [port]
x-gw
help
password
exit
To report problems, please contact Network Security Services at 555-1212
or by e-mail at security@org.com
Enter Command>c fox.nstn.ca
*** ATTENTION ***
You have attempted to contact a restricted host from this rlogin proxy.
Your attempt has been recorded.
To report problems, please contact Network Security Services at 555-1212
or by e-mail at security@org.com
Enter Command>
Now that the proxy configuration is finished, you can move on to establishing a connection.
Connecting through the rlogin proxy requires a process similar to the telnet proxy. A connection is first established with the firewall host, and then the user requests a connection to the remote host. The commands supported by the rlogin proxy are the same as for the telnet proxy. The following output illustrates a successful connection to a remote host using the rlogin proxy:
pc.unilabs.org$ rlogin pc
Welcome to the URG Firewall Rlogin Proxy
Supported commands are
c[onnect] hostname [port]
x-gw
help
password
exit
To report problems, please contact Network Security Services at 555-1212
or by e-mail at security@org.com
Enter Command>c nds.fonorola.net
Trying chrish@204.191.124.252…
Password:
Last login: Sun Oct 8 20:33:26 from pc.unilabs.org
SunOS Release 4.1.4 (GENERIC) #1: Wed Sep 13 19:50:02 EDT 1995
You have mail.
bash$
The user enters the name of the host he or she wants to connect to by using the c[onnect] command followed by the hostname. Before the connection request is made, the local username is added to the left of the requested hostname. Consequently,
nds.fonorola.net
becomes
chrish@nds.fonorola.net.
The establishment of the rlogin session to the remote host is then a matter of how the service is configured on that host. Remember that the name or IP address of the gateway must be in the rhosts file because that is the machine where the connection is coming from, not the real originating host.
| Previous | Table of Contents | Next |