
Ok,here is 0.1alpha version of my sshd's dirty hack - the thing designed
to allow TIS fwtk/Gauntlet (i hope so - i don't have Gauntlet) based firewalls 
to accept incoming ssh connections. I am now starting the most boring part:
writing this README file.

First, what does the damn thing do?
It accepts ssh connections and forwards 'em to localhost's telnet port -
or runs any other command if you want it to,but the main purpose is to
create a secure tunnel for TIS tn-gw. Some more details follow:

Authentication modes. 

  You may disable password authentication and enable
TIS authentication - and allow connections from localhost for tn-gw
without additional security options (netperm-table). Note: you should
enable it both on server side (/usr/local/etc/sshproxy.conf or smth)
and client side - like ssh -o "TISAuthentication yes" does.
Good enough but has some disadvantages: first,it requires client that
supports this option - old clients do not! second,it does not distinguish
users one from another - if all users able to authenticate themselves are
equal it's ok,but if some are more equal than others <g> - this method is
inacceptible. So another option:
 
  You may enable password authentication - and disable TIS one as useless.
Password authentication is complete bogus: username is ignored and 
password is always empty and not asked. So the job has to be done by tn-gw -
list localhost as external machine in netperm-table and enjoy.

More on installation.

Put ssh-1.2.20 in some directory, ./configure --with-TIS --without-x,
cp sshd.c sshproxy.c and apply my patches. 
Compile, create a config file (syntax is similar to sshd_conf) and run the 
binary. Ooops, forgot to say - create a thing that will do telnet for you
(mine is called tn,look at the begining of the source).

Bugs.

1. It is *UGLY*
2. It is U-G-L-Y.
3. It is UGLY!
4. It does not support X-forwarding.
5. Config file has extra options without any use.
6. There are tons of useless coad..
7. It uses external command for telnet and to show the denial message. Or is
   it a feature?
8. It is ugly. 

To do list - i am a) lazy b) busy so i don't think i will do any of those
soon.. I'd say it would be better if YOU will do that instead,,

1. Get rid of useless code.
2. Get rid of external commands - may be even include tn-gw code into the
   proxy.. Or should i not?
3. Think on x-forwarding.
4. Change config file somehow. Move proxy options to netperm-table?
5. change rhosts authentication (i did not remove it intentionally) to smth
   read from netperm-table.
6. Make tn-gw able to originate ssh (and rlogin?) connections.
.. something else.

Thanks to people who made it possible: ssh development team,TIS - and
B. Tobotras who asked me on irc everyday if i finished the proxy.
Actually i did not intend to distribute it - i just hacked it for my own
use,but.. here it is.

please write me if you improve it somehow, fix any bugs etc.

 -= ArkanoiD =- (ark@paranoid.convey.ru,ark@mpak.convey.ru)
