Synopsis
tn-gw [invoked from inetd]
Description
tn-gw provides pass-through telnet proxy services with logging and access control. When tn-gw is invoked from inetd, it reads its configuration and checks to see if the system that has just connected is permitted to use the proxy. If not, tn-gw shuts down the connection, displays a message, and logs the connection. If the peer is permitted to use the proxy, tn-gw enters a command loop in which it waits for a user to specify:
■ The system he or she wants to connect to
■ The X-gateway he or she wants to invoke
c[onnect] hostname [port]
Connects to a host.
sol-> telnet otter Trying 192.33.112.117 ...
Connected to otter.
Escape character is ‘^]’.
otter telnet proxy (Version V1.0) ready:
tn-gw-> help Valid commands are:
connect hostname [port]
x-gw [display]
help/?
quit/exit tn-gw-> c hilo
HP-UX hilo A.09.01 A 9000/710 (ttys1) login: Remote server has closed connection Connection closed by foreign host.
sol->
Because of limitations in some telnet clients, options negotiation may possibly fail; such an event will cause characters not to echo when typed to the tn-gw command interpreter.
x-gw [display/hostname]
The x-gw option invokes the x-gateway for connection service to the user’s display. The default display (without the argument) is the connecting hostname followed by port number 0.0.
Options
tn-gw reads its configuration rules and permissions information from the firewall configuration table netperm-table, where it retrieves the rules specified for “tn-gw.” The following configura-tion rules are recognized:
userid user
This option specifies a numeric user-id or the name of a password file entry. If this value is specified in-gw will set its user-id before providing service. Note that this option is included mostly for completeness; tn-gw performs no local operations that are likely to introduce a security hole.
directory pathname
directory specifies a directory to which tn-gw will chroot(2) prior to providing service.
prompt string
The prompt option specifies a prompt for tn-gw to use while it is in command mode.
denial-msg filename
denial-msg specifies the name of a file to display to the remote user if he or she is denied permission to use the proxy. If this option is not set, a default message is generated.
timeout seconds
The timeout option specifies the number of seconds the system should remain idel before it disconnects the proxy. Default is no timeout.
welcome-msg filename
welcome specifies the name of a file to display as a welcome banner after a successful connec-tion. If this option is not set, a default message is generated.
help-msg filename
The help option specifies the name of a file to display if the “help” command is issued. If this option is not set, a list of internal commands is printed.
denydest-msg filename
The denydest-msg option specifies the name of a file to display if a user attempts to connect to a restricted remote server. If this option is not set, a default message is generated.
authserver hostname [portnumber [cipherkey]]
The authserver option specifies the name or address of a system to use for network authentica-tion. If tn-gw is built with a compiled-in value for the server and port, these values will be used as defaults but can be overridden if specified as above with the authserver clause. If the server supports DES-encryption of traffic, an optional cipherkey can be provided to secure communi-cations with the server.
hosts host-pattern [host-pattern2 ... ] [ options]
The hosts rules specify host and access permissions. Typically, a hosts rule will be in the form of:
tn-gw: deny-hosts unknown
tn-gw: hosts 192.33.112.* 192.94.214.*
Several host patterns may follow the “hosts” keyword; the last pattern appears right before the optional parameter, which begins with “-”. Optional parameters include:
-dest pattern
-dest pattern1 pattern2 ...
-dest specifies a list of valid destinations. If no list is specified, all destinations are considered valid. The -dest list is processed in the order it appears on the options line. -dest entries preceded with a “!” character are treated as negation entries. For example, the following rule permits hosts that are not in the domain “mit.edu” to be connected.
-dest !*.mit.edu -dest * -auth
The -auth option specifies that the proxy should require a user to authenticate with a valid userid prior to being permitted to use the gateway.
-passok
The -passok option specifies that the proxy should permit users to change their passwords if they are connected by the designated host. Only hosts on a trusted network should be allowed to change passwords, unless token-type authenticators are distributed to all users.
Installation
To install tn-gw place the executable in a system area, then modify inetd.conf to reflect the appropriate executable path. The telnet proxy must be installed on the telnet port (port 23) to function properly. This is because many client-side implementations of the telnetd command disable options processing unless they are connected to port 23. In some installations this may cause a dilemma.
In a conventional firewall, where the proxy server is running on a system that does not support user access, one solution is to install tn-gw on the telnet port, and to install telnetd on another port so that the systems administrator still can access the machine. Another option is to permit
rlogind to run with netacl protecting it so that only a small number of administrative machines can even attempt to log in. Verify installation by attempting a connection, and monitoring the system logs.