Administration and support activities can be easier when you can just execute a shell on a remote system. The rsh service allows users to do this. The rsh program is not without risks: it runs programs on another system and requires some privileges to log in. The Gauntlet Firewall includes a proxy that securely handles the execution of rsh requests from systems inside the network to systems outside the network.
The following sections explain the concepts behind the rsh proxy and how it works, how to configure the proxy, and how to use rsh services:
The rsh proxy is an application-level gateway that provides configurable access control, authentication, and logging mechanisms. The rsh proxy, which runs on the firewall, passes rsh requests through the firewall, using rules you supply. You can configure the rsh proxy to allow remote shell activity based on:
source IP address
source hostname
destination IP address
destination hostname
Using these options, you can configure your firewall to allow specific hosts on the inside network to start remote shells on outside hosts. Employees working behind the firewall can start remote shells on outside hosts at a customer site. The rsh proxy logs all successful and unsuccessful remote shell attempts, and the number of bytes transferred.
These access controls allow you to have much more control over the rsh requests entering and leaving your system than using the standard IRIX rsh program. The logging capabilities are also much more extensive.
In this default configuration, the firewall runs the rsh proxy (rsh-gw) as a daemon listening for requests on the standard rsh port (TCP port 514). Whenever the system receives an rsh request on this port, the rsh proxy checks its configuration information and determines whether the initiating host has permission to use rsh. If the host has permission, the proxy logs the transaction and passes the request to the outside host. The rsh-gw remains active until either side closes the connection
The default trusted service group does not include the rsh proxy. If you add the rsh proxy to the trusted service group and enable the proxy, users on inside hosts can continue to use rsh as they did before the firewall was put into place. The default untrusted service group and rules does not allow outside hosts to use rsh to hosts inside the perimeter.
The default configuration using just the rsh proxy prohibits running an rsh server on the firewall itself. Because the rsh proxy is running on the standard rsh port on the firewall all rsh requests start the proxy. There is no way to start the rsh daemon needed to service rsh requests.
To access the rsh proxy configuration:
Configuring the Gauntlet Firewall involves planning, configuring the rsh proxy to enforce your security policy, and enabling the proxy.
When planning rsh proxy settings, determine whether you wish to allow inside hosts to rsh through the firewall to outside hosts.
Configure the rsh proxy to enforce your security policies.
To configure rsh proxy settings, you can provide optional information about time-out values and other configuration settings for the rsh proxy.
Following some initial configuration, the firewall and the rsh proxy are transparent to the user. Users can continue to use rsh to connect to outside hosts as they did before.
Before using rsh, users must configure the remote host to accept rsh requests from the firewall.
To configure the remote host, have each user edit their .rhosts file on the remote system and add their user name and the name of the firewall to their .rhosts file on the remote system:
firewall [user] |
firewall is the name (including domain if necessary) of the firewall. This name should be the name of the interface on the firewall closest to the remote system.
user is their user name within the domain from which the request comes. The user does not actually need to have an account on the firewall itself. The rsh request simply appears to be coming from the firewall.
For example, Penny, who works at Yoyodyne, needs to execute something remotely using her account at Big University. She adds this line to the .rhosts file in her account at Big University:
fire-out.yoyodyne.com penny |