Subject: | |
From: | |
Reply To: | |
Date: | Fri, 30 Jun 1995 09:13:58 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
>Date: Thu, 29 Jun 1995 21:38:19 EDT
>From: Jeff Kell <[log in to unmask]>
>Subject: Re: telnet/internet and avoiding HELLOs (2)
<snip>
>
>>From Guy Smith: "Try Eric Schubert's NQTELNET"
<snip>
>>The best method however, and this wasn't from the list (sorry all), was
>>the following: The firewall box we are purchasing is a HP9000. Telnet
>>into the HP9000 and have the firewall send a vt3k command with the HELLO
>>command passed.
>
Jeff says:
>Granted this will work, and you have the "firewall" controlling the login
>if you wish (passing the hello string in either case).
Eric replies:
------------
Like I stated in my reply, NQtelnet is not the actual server we run - its
pieces of it made to work as a single package on the 3k - accounting for its
"wierdness".
Our "real" server follows along the lines of the previous reply - the HP
9000 firewall idea EXCEPT we use a Sun w/AFS telnetd login. AFS is a
distributed file system which means that your files _follow_ you to any
local host that is an AFS client on the network (and yes: it can be a
location anywhere on the _entire_ INTERNET!).
Any networked host that is an AFS client will allow you to login and all
logins/passwords are managed under _one_ authentication server (we have
something like 15,000 AFS logins).
When we contact the HP from the Sun "firewall", the HP server does a logon
in the following format:
HELLO <afsuserid>,HPUSER.HPACCOUNT...etc
Software, like BiTECH accounting systems can recognize the "jobname" as a
valid user. So, nobody on the 'net knows an HP logon and they connect to a
public server. We have a "bouncer" for unauthorized <afsuserid> at the HP
server connection.
The only problem with proxy telnet to the 3k is that all telnetd() command
sequences must be "picked up" and translated back to the 3k host _and_ the
reverse. I never ran HP versions of 9k telnetd - 3k. I'm assuming HP took
care of this little problem - maybe not.
For example, I issue IAC BREAK to telnetd on the 9k (or Sun), will this
pass through to the 3k? and cause BREAK to happen?
If I issue "set echo off or fcontrol" on the 3k - will that trigger the
telnet negotiations to suppress echo on the telnetd 9k (or Sun) server?
Similar problems occur for other control codes. I'll be glad to hear any
feedback from _actual_ users of the 9k to 3k firewall concept. I'm _really_
interested in how it really works! (if at all).
----------------------------------------------------------------
Eric J Schubert Senior Data Base Analyst
Admin Information Services Univ of Notre Dame, IN USA
(219) 631-7306 http://www.nd.edu/~eschuber
|
|
|