| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| module:rlogin [2018/07/18 18:44] – "mode flags" and links to telgate page digital man | module:rlogin [2025/04/19 19:35] (current) – [Auto-Login] Document the -H option digital man |
|---|
| ====== RLogin ====== | ====== RLogin Gateway ====== |
| The Synchronet RLogin module (''[[dir:exec]]/rlogin.js'') is used to create an outbound proxy gateway connection between a Synchronet [[server:Terminal]] Server user and a remote server using the BSD Rlogin protocol ([[RFC>1282]]) over TCP (traditionally, TCP port 513). The BBS user can be connected to the host BBS using any supported terminal protocol (Telnet, RLogin, or SSH). | The Synchronet RLogin module (''[[dir:exec]]/rlogin.js'') is used to create an outbound proxy gateway connection between a Synchronet [[server:Terminal]] Server user and a remote server using the BSD Rlogin protocol ([[RFC>1282]]) over TCP (traditionally, TCP port 513). The BBS user can be connected to the host BBS using any supported terminal protocol (Telnet, RLogin, or SSH). |
| |
| ==== Command-line ==== | ==== Command-line ==== |
| The RLogin module accepts command-line arguments to control its behavior when invoked. The command-line syntax is: | The RLogin module accepts command-line arguments to control its behavior when invoked. The command-line syntax is: |
| ?rlogin <address>[:port] [mode] | ?rlogin <address>[:port] [options] |
| | |
| Where: | Where: |
| * ''<address>'' is the IPv4 address or host name to connect to | * ''<address>'' is the IPv4 address or host name to connect to |
| * ''[:port]'' is the TCP port number to connect to (default is 513) | * ''[:port]'' is the optional TCP port number to connect to (default is ''513'') |
| * ''[mode]'' is an optional set of one or more [[:module:telgate#mode|telgate mode flags]] (''TG_*'') separated by pipe (''|'') symbols | * ''[options]'' are one or more of the following options: |
| | |
| | ^ Option ^ Value ^ Description ^ |
| | | ''-c'' | client-name | Client-side username to include in the RLogin negotiation (default is current user's alias) | |
| | | ''-s'' | server-name | Server-side username to include in the RLogin negotiation (default is current user's real name) | |
| | | ''-t'' | terminal-type | Terminal type/speed (or "xtrn=doorcode" to auto-exec door on server) | |
| | | ''-T'' | connect-timeout-seconds | Connection timeout (default: 10 seconds) | |
| | | ''-m'' | telnet-gateway-mode| Set of one or more [[:module:telgate#mode|telgate mode flags]] (''TG_*'') separated by pipe (''|'') symbols (default is ''0'') | |
| | | ''-p'' | //none// | Send current user alias and password as server-name and client-name values, as expected by a Synchronet RLogin Server | |
| | | ''-h'' | [//pepper//] | Send current user alias and **hashed** user-password as server-name and client-name values, optionally applying the specified //pepper// (e.g. server name) to the hashed value | |
| | | ''-H'' | password | Send current user alias and specified **hashed**-password as server and client-name | |
| | | ''-q'' | //none// | Don't display banner or pause prompt (be quiet) | |
| | | ''-v'' | //none// | Display remote host name/address/port in messages | |
| | | ''-P'' | //none// | Don't pause for user key-press before connection attempt | |
| | | ''-C'' | //none// | Don't clear screen after successful session | |
| | |
| | //Required// option values may immediately following the option flag or as be provided as the next argument on the command-line (separate by white-space). |
| | //Optional// option values must immediately follow the option flag. |
| | |
| | The legacy command-line syntax which did not use option flags to specify optional arguments is still supported, though deprecated. |
| ===== Connection ===== | ===== Connection ===== |
| The RLogin protocol allows the client to pass 3 strings to the server during connection establishment. These 3 strings defined by the protocol specification are, in order: | The RLogin protocol allows the client to pass 3 strings to the server during connection establishment. These 3 strings defined by the protocol specification are, in order: |
| If you wish to reverse the order of the first 2 strings sent, pass the ''TG_RLOGINSWAP'' mode flag on the ''rlogin.js'' command-line. | If you wish to reverse the order of the first 2 strings sent, pass the ''TG_RLOGINSWAP'' mode flag on the ''rlogin.js'' command-line. |
| |
| | ==== Auto-Login ==== |
| | |
| | For automated logins, the [[server:Terminal#RLogin|Synchronet RLogin Server]] requires the //client-user-name// to be a valid user password, and the //server-user-name// to be a valid user ID (e.g. alias) which corresponds with the password. |
| | |
| | Other RLogin servers (e.g. door game servers) may have different requirements for automated logins (e.g. //no// password). |
| | |
| | === Hashed Passwords === |
| | |
| | Hashed passwords can be used to securely authenticate the local BBS user with the remote RLogin server without leaking the user's local password. |
| | |
| | In some use cases, the RLogin server may be expected store/remember the sent client-user-name as a password for subsequent connection authentication (e.g. when a Synchronet RLogin server is used as a public Game Server). |
| | |
| | The ''-h'' command-line option (an alternative to the ''-p'' option) can be used to obfuscate the user's password that is sent to the potentially third-party RLogin server via 128-bit secure hashing algorithm (SHA-1), while still creating a unique, cryptographically secure password. |
| | The user's password, user number, and account creation date are used to generate the password hash, so changing any of these values will change the resulting hashed password sent (and presumably logged/stored) on the server. The resulting SHA-1 hash is sent as 40 hexadecimal digits. |
| | |
| | Included in the hashed parameters are so-called //salt// and //pepper// (strings of characters) to help insure that the a user with the same number, password, and creation date on another BBS won't generate the same hash value that is sent to the RLogin server (allowing a malicious server to identify users with same passwords). |
| | |
| | The ''-H'' command-line option (an alternative to the ''-h'' option) uses a command-line supplied password (i.e. by the sysop) rather than the local user's password, to generate the password hash. This option allows a BBS to uniquely identify and authenticate users to an external RLogin server without using the user's local password, so subsequent changes to the user's password will not invalidate the RLogin credentials. If the Rlogin gateway is used to connect to multiple 3rd party RLogin servers, a different password value should be provided by the sysop for each RLogin server in order to prevent potential password hash duplication/reuse among systems. Passwords hashed with this option include //salt// but not //pepper// as the sysop-provided password already provides the function of "pepper". |
| | |
| | == Salt == |
| | The default hashed password salt is the system's QWK-ID, but the sysop can specify their own salt (e.g. random number or secret passphrase) via the "salt" key described below. Changing your system's QWK-ID or the configured salt value will change the resulting password hash for all users. |
| | |
| | == Pepper == |
| | To insure that a different hash is generated for use on different RLogin servers, a sysop may include server-unique data (so called "pepper") immediately after the ''-h'' option on the ''rlogin'' command-line. |
| | |
| | When multiple 3rd party RLogin servers are being connected to with hashed passwords, it is recommended to include a different pepper value for each RLogin server, e.g. ''-hSEVERNAME''. |
| | |
| | Including pepper allows server-unique hashes so that if one BBS auto-registers/authenticates its users with *multiple* RLogin servers, the credentials stored any //one// of the RLogin servers may not be used to authenticate on the others. |
| | |
| | |
| | ===== Configure ===== |
| | |
| | The default RLogin Gateway option values and display messages can be over-ridden by creating/editing key in the ''[rlogin]'' section of your ''[[dir:ctrl]]/[[config:modopts.ini]]'' file or the //root section// of your ''[[dir:ctrl]]/modopts/rlogin.ini'' file. If neither the ''[rlogin]'' ''modopts.ini'' section nor the ''modopts/rlogin.ini'' file exist, options will be pulled from the ''[telgate]'' ''modopts.ini'' section or the ''modopts/telgate.ini'' file. |
| | |
| | ^ Key ^ Default ^ Description ^ |
| | | quiet | false | Don't display banner or pause prompt | |
| | | pause | true | Pause for user key-press before connecting | |
| | | clear | true | Clear screen after disconnect | |
| | | timeout | 10 | Connect timeout (in seconds) | |
| | | verbosity | 0 | Display remote host address/port when non-zero | |
| | | salt | QWK-ID | Salt used in SHA-1 hashing of user passwords (used with ''-h'' option) | |
| | | help_msg | //see code// | Message to display for help ("" to disable) | |
| | | connecting_msg | //see code// | Message to display when connecting to remote host ("" to disable) | |
| | | failed_conntect_msg | //see code// | Message to display upon connection failure ("" to disable) | |
| | |
| | **Note**:\\ |
| | You'll likely want to use string literal syntax for message strings. |
| |
| ===== See Also ===== | ===== See Also ===== |
| * [[:module:|Module Index]] | * [[:module:|Module Index]] |
| * [[:module:Telgate|Telgate Module]] | * [[:module:Telgate|Telgate Module]] |
| | * [[:server:Terminal#rlogin|Terminal Server:Rlogin]] |
| |
