Table of Contents
RLogin Gateway
The Synchronet RLogin module (exec/rlogin.js
) is used to create an outbound proxy gateway connection between a Synchronet Terminal Server user and a remote server using the BSD Rlogin protocol (1282) over TCP (traditionally, TCP port 513). The BBS user can be connected to the host BBS using any supported terminal protocol (Telnet, RLogin, or SSH).
RLogin is often used to connect BBS users to “door game servers” because of the protocol's ability to transparently pass the login-ID of the user as part of the initial connection establishment. If the door game server recognizes the user's credentials, it can automatically authenticate the user and in some cases immediately launch a specific door game of interest.
Protocol
Only the initial RLogin connection establishment is supported; the other RLogin protocol features (“cooked mode”, out-of-band sequences, e.g. Window size) are not supported.
Binary Data
Unlike Telnet, there is no “binary mode” option that can be negotiated, so some characters (e.g keystrokes) sent from the remote user will always be interpreted on the host BBS and not sent to the remote server. This means that binary data transfers (e.g. file transfers) through an RLogin gateway may not always work as expected.
Telgate
The RLogin module is just a thin script that calls the Synchronet JavaScript bbs.rlogin_gate()
method which in turn is just a thin wrapper function around the Synchronet C++ telnet_gate()
function. Although this function was originally created for creating proxy gateways using the Telnet protocol, it was later enhanced to also support the RLogin protocol, but was not renamed. So the Synchronet internal Telnet Gateway (telgate) functionality is utilized to create RLogin gateway connections as well.
Menu
While the gateway is connected, the BBS user can use the Ctrl-]
key sequence to display a host-BBS menu to perform specific functions, like:
- Disconnect from the remote server
- Toggle local echo off/on
- List users on the host BBS
- Send a private message to another user on the host BBS
Note: If the TG_CTRLKEYS
mode flag is specified on the rlogin.js
command-line, then the host BBS's global control key commands (e.g. ^P, ^U, ^T, etc.) will also be captured and handled by the host BBS and not sent to the remote server.
Usage
The RLogin module is normally executed via a command-line configured in SCFG, often as an “External Program”. By convention, JavaScript modules are executed from the Synchronet Terminal Server by starting the command-line with a question mark (?
) symbol. An asterisk (*
) prefix will also work, but will fallback to execute the old exec/rlogin.bin
if the rlogin.js
file is absent.
Command-line
The RLogin module accepts command-line arguments to control its behavior when invoked. The command-line syntax is:
?rlogin <address>[:port] [options]
Where:
<address>
is the IPv4 address or host name to connect to[:port]
is the optional TCP port number to connect to (default is513
)[options]
are one or more of the following options:
Option | Value | Description |
---|---|---|
-c | client-name | Client-side username to include in the RLogin negotiation (default is current user's alias) |
-s | server-name | Server-side username to include in the RLogin negotiation (default is current user's real name) |
-t | terminal-type | Terminal type/speed (or “xtrn=doorcode” to auto-exec door on server) |
-T | connect-timeout-seconds | Connection timeout (default: 10 seconds) |
-m | telnet-gateway-mode | Set of one or more telgate mode flags (TG_* ) separated by pipe (| ) symbols (default is 0 ) |
-p | none | Send current user alias and password as server-name and client-name values, as expected by a Synchronet RLogin Server |
-h | [pepper] | Send current user alias and hashed user-password as server-name and client-name values, optionally applying the specified pepper (e.g. server name) to the hashed value |
-H | password | Send current user alias and specified hashed-password as server and client-name |
-q | none | Don't display banner or pause prompt (be quiet) |
-v | none | Display remote host name/address/port in messages |
-P | none | Don't pause for user key-press before connection attempt |
-C | none | Don't clear screen after successful session |
Required option values may immediately following the option flag or as be provided as the next argument on the command-line (separate by white-space). Optional option values must immediately follow the option flag.
The legacy command-line syntax which did not use option flags to specify optional arguments is still supported, though deprecated.
Connection
The RLogin protocol allows the client to pass 3 strings to the server during connection establishment. These 3 strings defined by the protocol specification are, in order:
- client-user-name
- server-user-name
- terminal-type
By default, the Synchronet telnet gateway sends the following values for the RLogin connection strings:
- User's alias
- User's real name
- Users' terminal type/speed (e.g. “ANSI/30000”)
If you wish to reverse the order of the first 2 strings sent, pass the TG_RLOGINSWAP
mode flag on the rlogin.js
command-line.
Auto-Login
For automated logins, the Synchronet RLogin Server requires the client-user-name to be a valid user password, and the server-user-name to be a valid user ID (e.g. alias) which corresponds with the password.
Other RLogin servers (e.g. door game servers) may have different requirements for automated logins (e.g. no password).
Hashed Passwords
Hashed passwords can be used to securely authenticate the local BBS user with the remote RLogin server without leaking the user's local password.
In some use cases, the RLogin server may be expected store/remember the sent client-user-name as a password for subsequent connection authentication (e.g. when a Synchronet RLogin server is used as a public Game Server).
The -h
command-line option (an alternative to the -p
option) can be used to obfuscate the user's password that is sent to the potentially third-party RLogin server via 128-bit secure hashing algorithm (SHA-1), while still creating a unique, cryptographically secure password.
The user's password, user number, and account creation date are used to generate the password hash, so changing any of these values will change the resulting hashed password sent (and presumably logged/stored) on the server. The resulting SHA-1 hash is sent as 40 hexadecimal digits.
Included in the hashed parameters are so-called salt and pepper (strings of characters) to help insure that the a user with the same number, password, and creation date on another BBS won't generate the same hash value that is sent to the RLogin server (allowing a malicious server to identify users with same passwords).
The -H
command-line option (an alternative to the -h
option) uses a command-line supplied password (i.e. by the sysop) rather than the local user's password, to generate the password hash. This option allows a BBS to uniquely identify and authenticate users to an external RLogin server without using the user's local password, so subsequent changes to the user's password will not invalidate the RLogin credentials. If the Rlogin gateway is used to connect to multiple 3rd party RLogin servers, a different password value should be provided by the sysop for each RLogin server in order to prevent potential password hash duplication/reuse among systems. Passwords hashed with this option include salt but not pepper as the sysop-provided password already provides the function of “pepper”.
Salt
The default hashed password salt is the system's QWK-ID, but the sysop can specify their own salt (e.g. random number or secret passphrase) via the “salt” key described below. Changing your system's QWK-ID or the configured salt value will change the resulting password hash for all users.
Pepper
To insure that a different hash is generated for use on different RLogin servers, a sysop may include server-unique data (so called “pepper”) immediately after the -h
option on the rlogin
command-line.
When multiple 3rd party RLogin servers are being connected to with hashed passwords, it is recommended to include a different pepper value for each RLogin server, e.g. -hSEVERNAME
.
Including pepper allows server-unique hashes so that if one BBS auto-registers/authenticates its users with *multiple* RLogin servers, the credentials stored any one of the RLogin servers may not be used to authenticate on the others.
Configure
The default RLogin Gateway option values and display messages can be over-ridden by creating/editing key in the [rlogin]
section of your ctrl/modopts.ini
file or the root section of your ctrl/modopts/rlogin.ini
file. If neither the [rlogin]
modopts.ini
section nor the modopts/rlogin.ini
file exist, options will be pulled from the [telgate]
modopts.ini
section or the modopts/telgate.ini
file.
Key | Default | Description |
---|---|---|
quiet | false | Don't display banner or pause prompt |
pause | true | Pause for user key-press before connecting |
clear | true | Clear screen after disconnect |
timeout | 10 | Connect timeout (in seconds) |
verbosity | 0 | Display remote host address/port when non-zero |
salt | QWK-ID | Salt used in SHA-1 hashing of user passwords (used with -h option) |
help_msg | see code | Message to display for help (“” to disable) |
connecting_msg | see code | Message to display when connecting to remote host (“” to disable) |
failed_conntect_msg | see code | Message to display upon connection failure (“” to disable) |
Note:
You'll likely want to use string literal syntax for message strings.