RSH.PROXY(1)                                         RSH.PROXY(1)


NAME
       rsh.proxy - rsh proxy server

SYNOPSIS
       rsh.proxy [options] [server]

DESCRIPTION
       rsh.proxy  is a proxy server for the rsh, rlogin and rexec
       protocol.   It  supports  client  side  server  selection,
       access control, X and VNC forwarding.

       rsh.proxy  must  be  started  from  a TCP superserver like
       inetd(1) or multiproxy(1).  It can't bind to a  TCP/IP  port
       on it's own.

   Server Selection
       If client-side server selection it turned on the user must
       select the server he wants to use with the  `@'  notation.
       Instead  of  specifying  the real rsh server the user connects
       to the gateway machine where  rsh.proxy  is  running
       with the remote user name

            remote-user@remote-server

       In  situations where the `@' doesn't work the percent sign
       `%' might be used for that.

   Access Control
       If an access control program is given with the  -a  option
       on  the  command line the connection data is passed to the
       acp before the server is contacted.  The acp should return
       0  as exit code to grant access and another value to deny.

       The access controller receives the following variables:

       PROXY_INTERFACE, PROXY_PORT
              interface and port where the client is connected to
              the proxy.

       PROXY_CLIENT, PROXY_CLIENTNAME, PROXY_CLIENTLOGIN
              IP  number,  name  of the connected client and user
              login on the client.

       PROXY_SERVER, PROXY_SERVERPORT, PROXY_SERVERNAME
              IP number, port and name  of  the  rsh  server  the
              client wants to contact.

       PROXY_SERVERLOGIN
              the supplied username for the rsh server.

       PROXY_SERVERCMD
              request command.



       PROXY_USERNAME, PROXY_PASSWD
              supplied  username  and  password  for usage of the
              proxy server.

       The values for PROXY_USERNAME and PROXY_PASSWD  are  taken
       from  the  supplied  remote  username and password if they
       contain a colon `:'.  In this case the  local  authentica
       tion data is taken from the left side of the colon and the
       remaining right side is passed on to the server.

       Furthermore the acp's  stdout  is  connected  to  the  rsh
       client  and  it's stderr is read by rsh.proxy which writes
       the acp's stderr output to syslog.  Notice that to  signal
       an  error (e.g. missing permissions) the first byte that's
       send to the client must be the character `0x01'.

   Protocol Selection
       rsh.proxy does automatic protocol selection  depending  on
       it's server port.  If started on port 512 the rexec proto
       col is used, rlogin on port 513 and rsh on any other port.
       Notice that the syslog name changes with the protocol.

   X Forwarding
       When  started with the -x option rsh.proxy is able to for
       ward X streams.  It analyses the command  for  the  string
       `-display'  followed  by a valid `[<host>]:<display>'.  If
       such a sequence is found rsh.proxy opens a proxy  display,
       replaces the display setting in the command line with it's
       own and forwards an incoming X stream to the client's dis
       play.
       Don't  forget to enable the proxy server with xhost on the
       client.

   VNC Forwarding
       rsh.proxy does VNC (RFB protocol) forwarding similiar to X
       forwarding.    If   a  VNC  starter  command  is  detected
       rsh.proxy tries to detect the desired VNC display and sets
       up  the  proxy display.  rsh.proxy generatas an additional
       output line stating the proxy display and it's port.

       Notice two things: First, the rsh server is responsible to
       startup the VNC server if it is not already running.
       Second, the connection to the VNC server is initiated from
       the client and the VNC  starter  program  might  terminate
       before the VNC connection is done.  The termination of the
       rsh server program (the VNC starter in  this  case)  would
       usually  terminate  all  communication channels, including
       the VNC forwarding.  Because of this rsh.proxy  gives  the
       client  additional  30 seconds (can be changed with the -z
       option) to make the connection to the VNC server after the
       actual rsh connection has been closed.

OPTIONS
       The following options are available:
       -a acp specify  an  access  control program that grants or
              denies access via rsh.proxy.

       -d     enter debug mode, the communication between  server
              and client is written to stderr.

       -e     enable  client-side  server  selection.   With this
              option the server argument isn't accepted.

       -l logname
              specify an explicit program name  for  syslog  mes
              sages instead of the auto-computed.

       -n     no client name lookup is done, the PROXY_CLIENTNAME
              variable contains the IP number just  PROXY_CLIENT.

       -s list
              the server selected by the client must match one of
              the pattern from the  comma  separated  list.   The
              wildcards `*' and `?' can be used.

       -t timeout
              specify  a  different  timeout  in seconds than the
              default of 1800 (30 minutes).

       -v prefix
              set prefix as  variable  prefix  for  the  variable
              passwd to the access control program.

       -x | -xx program-list
              enable  the X forwarding hack.  If the -x option is
              given twice rsh.proxy  expects  a  comma  seperated
              list  of  commands  to which X forwarding should be
              applied.

       -y program-list
              enable the VNC forwarding hack.   The  program-list
              is a comma separated list of command where VNC for
              warding should be applied.

       -z timeout
              wait timeout seconds (default is 30) after the  rsh
              connection  has  been closed for the forwarded con
              nection (either X or VNC) to become established.


SEE ALSO
       inetd(1), multiproxy(1).

