In response to Ken Hardy's query:
> > > What about services like talk and finger? How do my local users
> > > "talk" a user at an outside host over proxy? (and external users too)
Marcus suggested using
> We don't support "talk" so I can't address that one, but finger
> works real easily. We have a netacl rule (or tcp_wrapper or whatever)
> that lets anyone on our inside net talk to fingerd w/o privs. Then
> someone can just:
>
> finger user @
host@firewall
>
This has the disadvantage that the bastion host actually has to run a
finger daemon. There was at least one example in the last year of a
version of OSF that had a serious security bug in fingerd, and some
machines also have it run as root. We prefer to use plug-gw from the
TIS toolkit to pipe finger requests on port 79 through to a machine
outside the firewall where the finger daemon actually makes the
request. There is a script called "rfinger" installed inside that
does the following:
/usr/ucb/finger $* @
gateway
where "gateway" is the name of our machine. If you use the command
rfinger user @
host
then it sends the request through the gateway to a machine outside
(whatever plug-gw is pointing at) where the machine acts like it has
received the command
finger user @
host
The only apparent difference in behaviour is that some finger clients
put up the name of the machine that was the first target of the finger
command (in this case the gateway machine). You can eliminate this
with a grep -v in the script.
Plug-gw is quite useful - we also use it for selected machines outside
the firewall but inside the building to print to our printers.
Kevin McCurley
Sandia National Laboratories
|
|
