-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrshd.msg
103 lines (80 loc) · 4.24 KB
/
rshd.msg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
I have tried to implement an RSHD using NVTs also. I ended up with
the same technique that MRC suggested, RSHD just listens for a connect
and verifies that it comes from a 'secure' port (<1024.) on a host we
have a name for, and then CRJOBs a job loaded with "RSHSRV", creates
an NVT and ATACHes the two.
Problem;
Since we have not read any data we don't know who to log in as.
Solution;
I added a bit CR%LWP to CRJOB (Login Without Password), this sets a
bit in the SYSFK word of the created fork.
Problem 2;
Some huge number of useful things under TOPS-20 are not programs but
EXEC commands.. So you hack up your EXEC to read one command from the
RSCAN buffer and then quit when entered in a new entry vector
position.
Problem 3;
Ok so you have this running, everything looks fine -- but you notice
that when a BSD user types "rsh twenex foo", they get output, then you
see a logout message, and the connection hangs.
So, you have RSHSRV detach and LGOUT when the hacked EXEC returns.
Fix this, you still hang, the job never detaches.
Well, you see TVTs are expected to talk TELNET protocol. DTACH does a
DOBE, which sends a TELNET mark-time command, to which RSHD does not
know how to respond. (You might have noticed that TVT-SMTP jobs hung
for the same reason).
Cure; have DOBE on a TVT be a NOOP.
Now the job logs out cleanly, but you STILL hang on your UNIX system.
This may simply be a misfeature of the BSD RSH program, it doesn't
expect anyone to implement RSH for a system that can not 'half close'
a connection.
But wait, just try to write something that transfers large amounts of
data, say 'RCP' or 'RMT' BINARY DATA... You will find that TVT thruput
is well, awful, and you will lose data espcially anything containing
IAC.
Problem N.1;
You want to write an RSH for tops-20 do you? Well RSH is
a secure protocol, and depends on the fact that only SuperUser can
open a connection with a local port of <1024. Any connection with a
remote local port of <1024. is to be trusted, and when the data says
the remote user name is "foo" it is to be believed.
So you can either; leave the monitor the way it came (only ports <512
protected), or add a new magic bit in SYSFK. If we have just done an
execute only GET% we look at the FDB of the EXE file, if it has a
special (priv'ed) bit lit, we light the SYSFK bit, and the fork is
ENCHANTED. This bit is checked at the same places (several) that
check for WOPR on a TCP open.
Problem N.2;
The RSH protocol (and this is used by BSD rsh), specifies that the
first data item is a foreign port (or zero) for sending back data from
the forks stderr, in fact the rsh will wait for a connect on that port
until it proceeds. This connection must originate from a secure port
.. so that the RSHSRV must be created with pre-login WOPR, or be
enchanted (note since enchanted-ness is not a capability it is never
inherited by children).
TOPS-20 only checks local ports for uniqueness within a job, BSD never
creates the same local port twice. For a reason that escapes me (but
has to do with the STDERR connection), this causes problems. OK,
remove that code too. Whew!! FTP continues to work.
--
Moral, Or how I would try to do it next if I had the strength;
First and foremost this proves that Un*x software and concepts are
completely transportable... between any two Un*x systems :-)
a) Have RSHD listen for connects, process the data and drop a PTY
connect a job logged into whoever we please and just pass the data.
Feature; require NO monitor changes. 'Bit nasty to have the process
in between handling all the data for all the RSHs.
b) Create a not logged in job loaded with RSHSRV, CJ%LWP set, and
either WOPR or enchanted. Does a passive listen for RSH connects.
When a connect is received, either spawn a another like us, or notify
an authority via IPCF to do so (DEC DTRSRV (datatrieve) and the new
RMSFAL do just this). RSHSRV then reads and validates the data,
creates the error pipe if needed, and LOGs in. Get a PTY, and assign
it as controlling for an EXEC, and ferry data back and forth between
the PTY and the TCP connection. This avoids having on central octopus
hacking the PTYs.
Good Guys RSH
0 34359738367
I wrote all my code using the UTAH PCC-20 compiler, you're welcome to it!!
Philip Budne
Boston University / Distributed Systems