$ mkdir -p /usr/local/src/sjg $ cd /usr/local/src/sjg $ gzcat /tmp/bmake.tar.gz | tar xvf - $ gzcat /tmp/SSLrsh.tar.gz | tar xvf - $ gzcat /tmp/stelnet.tar.gz | tar xvf -Everything will be in the right place and once you've built bmake you can just:
$ cd /usr/local/src/sjg $ bmake obj $ bmake depend $ bmake $ su # bmake installNote that stelnet will look up the name that it was invoked with in /etc/services, and if that succeeds, use the port obtained, otherwise it looks up telnet/tcp and if all else fails it uses port 23. The upshot of all this is that you have the option of adding something like:
stelnet 423/tcpto /etc/services and running stelnet as well as normal telnet. This is handy at some sites that have rules against replacing system binaries with ones that work :-)
My configs tool would normally add the above to /etc/services and one of:
stelnet stream tcp nowait root /usr/local/libexec/netacl stelnet stelnet stream tcp nowait root /usr/local/libexec/stelnetd stelnetd -kfz certsokto /etc/inetd.conf depending on whether the TIS fwtk's netacl is installed.
The args shown above, tell stelnetd to pass -f to login(1) if the user has been authenticated and to use /etc/ssl.users to check the client's certificate (if provided) against for authentication.
If your login(1) does not support -f, you can use the one that comes with stelnet though you will need to make your inetd.conf entry:
stelnet stream tcp nowait root /usr/local/libexec/stelnetd /usr/local/libexec/stelnetd -kfz certsokor use a -p /usr/local/libexec/login arg so that stelnetd can find it. It is known to do [wu]tmp entries correctly on SunOS, Solaris, HP-UX (9 but not 10). Fortunately most of the systems where the utmp magic is broken (Linux, HP-UX 10) have a login that supports -f.
My original encryption code was pretty ugly, using the RSA implementation lifted from PGP. Thank heavens for Eric Young's SSLeay package which contains a libcrypto that includes every decent cipher I've ever heard of, I'v now greatly cleaned up stelnet to use libcrypto.
Further I've re-worked Tim Hudson's SSLtelnet patches to SSLeay via my libsslfd wrapper library (included in SSLrsh.tar.gz. This keeps the telnet code much cleaner, and ensures consistent behaviour between SSLr* and stelnet. For instance I avoid reading the SSL_CERT until it is actually needed. Note that this will only work with SSLeay-0.6.4 and later.
More info about SSLeay can be found in the SSLeay FAQ
The drag is that it still has some carry over from the before SSL days, so uses a TELOPT_PKE option to turn on encryption. If using unofficial telnet options gives you the creeps, by all means turn it off - just comment out the -DAUTH_HPW -DPKE_ENCRYPTION from stelnet/Makefile.inc. They are off by default.
In addition, stelnetd can be given a -p path_login to tell it which login(1) to use. This is handy if you want to use login-ts from TIS fwtk to query the authsvr for user authentication.
Because the [wu]tmp magic varies wildly between *nix and even versions of same, this login will not always do the right thing on a new system. It is built by default on SunOS, Solaris and HP-UX (not HP-UX 10 though) where both works and is needed.
If you need to build it on a nother system just
$ cd stelnet/libexec/login $ bmake obj $ bmake # bmake installThe utmp magic is all in doutmp.c and you can:
$ bmake doutmp.test $ obj/doutmp.test host userdo help test whether it will do the right thing.
Sadly, this is an area where the documentation on most commercial *nix systems is lacking and/or inaccurate. So it can take a lot of effort to port to a new system.