1 .\" (c) 1998 by James R. Van Zandt <jrv@vanzandt.mv.com> -*- nroff -*-
3 .\" Japanese Version Copyright (c) 2003 NAKANO Takeo all rights reserved.
4 .\" Translated Wed 29 Jan 2003 by NAKANO Takeo <nakano@apm.seikei.ac.jp>
6 .TH mirrordir 1 "1998 November 8" "Linux"
7 .\"O .SH NAME secure-mcserv
9 .\"O secure-mcserv \- secure server for encrypted login, file transfer and socket forwarding.
10 secure-mcserv \- °Å¹æ²½¥í¥°¥¤¥ó¡¦¥Õ¥¡¥¤¥ëžÁ÷¡¦¥½¥±¥Ã¥È¥Õ¥©¥ï¡¼¥ÉÍѤΰÂÁ´¤Ê¥µ¡¼¥Ð
13 .BI secure-mcserv " \fR[\fPoptions\fR] [\fP" -p " portnum\fR]\fP"
17 .\"O \fBsecure-mcserv\fP is a server for the Midnight Commander (network)
18 .\"O filesystem (mcfs) of the Midnight Commander vfs (virtual file system).
19 .\"O It is part of the \fBmirrordir\fP package. In can operate as a
20 .\"O substitute to the Midnight Commander's native \fBmcserv\fP daemon,
21 .\"O although It has several extensions for use with \fBmirrordir\fP.
23 ¤Ï Midnight Commander vfs (¥Ð¡¼¥Á¥ã¥ë¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à) ¤Î
24 Midnight Commander (¥Í¥Ã¥È¥ï¡¼¥¯) ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à (mcfs) ¥µ¡¼¥Ð¤Ç¤¢¤ë¡£
28 ¥Ñ¥Ã¥±¡¼¥¸¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¡£Midnight Commander ¤Î¥Í¥¤¥Æ¥£¥Ö¤Ê
30 ¥Ç¡¼¥â¥ó¤ÎÂå¤ï¤ê¤ËÆ°ºî¤µ¤»¤ë¤³¤È¤¬¤Ç¤¡¢
32 ¸þ¤±¤Ë¤¤¤¯¤Ä¤«¤Î³ÈÄ¥¤¬¤Ê¤µ¤ì¤Æ¤¤¤ë¡£
34 .\"O \fBsecurity and compression\fP
36 .\"O This is not so much a feature of \fBsecure-mcserv\fP as of the
37 .\"O transparent secure TCP layer implemented for the whole of
38 .\"O \fBmirrordir\fP. This layer can operate in normal mode, compressed
39 .\"O (gzipped) mode, encrypted mode, or compressed and encrypted mode. The
40 .\"O mode of connection is autodetected from magic numbers at the head of the
41 .\"O TCP stream. The Midnight Commander can use \fBsecure-mcserv\fP instead
42 .\"O of its native \fBmcserv\fP. See the \fB-z\fP, \fB--secure\fP and
43 .\"O \fB-K\fP options of \fBmirrordir\fP(1).
48 Á´ÂΤËÂФ·¤Æ¼ÂÁõ¤µ¤ì¤¿¡¢Æ©²áŪ¤«¤Ä°ÂÁ´¤Ê TCP ÁؤǤ¢¤ë¡£
49 ¤³¤ÎÁؤϡ¢Ä̾ï¥â¡¼¥É¡¢°µ½Ì (gzipped) ¥â¡¼¥É¡¢°Å¹æ²½¥â¡¼¥É¡¢
50 °µ½Ì+°Å¹æ²½¥â¡¼¥É¤ÇÆ°ºî¤Ç¤¤ë¡£
51 Àܳ¤Î¥â¡¼¥É¤Ï TCP ¥¹¥È¥ê¡¼¥àÀèƬ¤Î¥Þ¥¸¥Ã¥¯¥Ê¥ó¥Ð¡¼¤Ë¤è¤Ã¤Æ¼«Æ°¸¡ÃΤµ¤ì¤ë¡£
54 ¤ò¡¢¼«¤é¤Î¥Í¥¤¥Æ¥£¥Ö¤Ê¥µ¡¼¥Ð¤Ç¤¢¤ë
56 ¤ÎÂå¤ï¤ê¤ËÍøÍѤǤ¤ë¡£
64 .\"O \fBDenying access from specific hosts\fP
65 .B ÆÃÄê¤Î¥Û¥¹¥È¤«¤é¤Î¥¢¥¯¥»¥¹¤ÎµñÈÝ
67 .\"O You can add to your \fI/etc/hosts.allow\fP file lines like the following:
69 ¥Õ¥¡¥¤¥ë¤Ë°Ê²¼¤Î¤è¤¦¤Ê¹Ô¤òÄɲ乤롣
72 secure-mcserv: <source-ip-address> : ALLOW
73 secure-mcserv: 212.89.128.0/255.255.255.0 : ALLOW
74 secure-mcserv: ALL : DENY
77 .\"O (This feature was submitted to me by Juergen Kammer <j.kammer@eurodata.de>
78 .\"O who claims it works.)
79 (¤³¤Îµ¡Ç½¤Ï Juergen Kammer <j.kammer@eurodata.de>
80 ¤«¤é´ó¤»¤é¤ì¤Þ¤·¤¿¡£Èà¤Î¤È¤³¤í¤Ç¤ÏÆ°ºî¤·¤Æ¤¤¤ë¤½¤¦¤Ç¤¹¡£)
85 .\"O You can securely login to \fBsecure-mcserv\fP with \fBpslogin\fP which
86 .\"O comes with the \fBmirrordir\fP distribution. This is analogous to
87 .\"O \fBrlogin\fP(1) working with \fBrlogind\fP(1). See the
88 .\"O \fB--login-mode\fP option of \fBmirrordir\fP(1).
94 ¤ËÂФ¹¤ë¥í¥°¥¤¥ó¤¬¤Ç¤¤ë¡£
99 ¤ËÂФ·¤ÆÆ°ºî¤¹¤ë¤Î¤ÈƱÍͤǤ¢¤ë¡£
105 .\"O \fBTCP socket forwarding\fP
106 .B TCP ¥½¥±¥Ã¥È¤Î¥Õ¥©¥ï¡¼¥É
107 .\"O Using the \fBforward\fP(1) command of the \fBmirrordir\fP distribution,
108 .\"O you can forward arbitrary TCP socket connections over a secure and/or
109 .\"O compressed TCP channel. This is very useful for making encrypted
110 .\"O services out of ordinary services. \fBforward\fP(1) has an examples
115 ¥³¥Þ¥ó¥É¤òÍѤ¤¤ë¤È¡¢Ç¤°Õ¤Î TCP ¥½¥±¥Ã¥ÈÀܳ¤ò
116 °ÂÁ´¤Þ¤¿¤Ï°µ½Ì (¤¢¤ë¤¤¤Ï¤½¤ÎξÊý¤Î) TCP ¥Á¥ã¥Í¥ë¤Ë¥Õ¥©¥ï¡¼¥É¤Ç¤¤ë¡£
117 ¤³¤ì¤ÏÄ̾ï¤Î¥µ¡¼¥Ó¥¹¤ò°Å¹æ²½¥µ¡¼¥Ó¥¹¤Ë¤Ç¤¡¢¤È¤Æ¤âÊØÍø¤Ç¤¢¤ë¡£
124 .\"O Become a daemon (set -q). This option will almost always be used.
125 .\"O Alternative \fB-d\fP can be omitted and \fB-v\fP (see below) set to
126 .\"O debug failed connections.
127 ¥Ç¡¼¥â¥ó¤Ë¤Ê¤ë (Ʊ»þ¤Ë -q ¤âÀßÄꤵ¤ì¤ë)¡£
128 Ä̾ï¤Ï¾ï¤Ë¤³¤Î¥ª¥×¥·¥ç¥ó¤òÍѤ¤¤ë¤³¤È¤Ë¤Ê¤ë¤À¤í¤¦¡£
133 (¸å½Ò) ¤ò»ØÄꤷ¤Æ¡¢¼ºÇÔ¤·¤¿Àܳ¤ò¥Ç¥Ð¥Ã¥°¤¹¤ë¾ì¹ç¤¬¤¢¤êÆÀ¤ë¤À¤í¤¦¡£
136 .\"O Quiet mode. This is the default.
137 ²ÉÌۥ⡼¥É¡£¤³¤ì¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤¢¤ë¡£
140 .\"O Try ftp authentication if normal authentication fails.
141 Ä̾ï¤Îǧ¾Ú¤¬¼ºÇÔ¤·¤¿¤È¤¤Ë ftp ǧ¾Ú¤ò»î¤ß¤ë¡£
144 .\"O Verbose mode. Print out various debugging information.
145 ñÁÀå¥â¡¼¥É¡£ÍÍ¡¹¤Ê¥Ç¥Ð¥Ã¥°¾ðÊó¤òɽ¼¨¤¹¤ë¡£
148 .\"O Specify a port number to listen to. The default is 9876.
149 ÂÔ¤Á¼õ¤±¤ë¥Ý¡¼¥ÈÈÖ¹æ¤ò»ØÄꤹ¤ë¡£¥Ç¥Õ¥©¥ë¥È¤Ï 9876¡£
151 \fB-s\fP \fIserver\fP\fB[\fP\fI:port\fP\fB]\fP
153 .\"O Specify a password server to use. The password server is
154 .\"O just another machine running \fBsecure-mcserv\fP albeit
155 .\"O without the \fB-s\fP option.
156 ÍøÍѤ¹¤ë¥Ñ¥¹¥ï¡¼¥É¥µ¡¼¥Ð¤ò»ØÄꤹ¤ë¡£
157 ¤³¤Î¥Ñ¥¹¥ï¡¼¥É¥µ¡¼¥Ð¤È¤Ï¡¢Ã±¤Ë¾¤Î¥Þ¥·¥ó¤Ç
159 ¥ª¥×¥·¥ç¥ó̵¤·¤ÇÆ°ºî¤·¤Æ¤¤¤ë
163 .\"O This is a very useful option if you have lots of machines that a
164 .\"O group of users have to be able to log into. Create accounts for
165 .\"O all these users on each machine and disable them by editing
166 .\"O their password fields to \fB*\fP in \fB/etc/password\fP (or
167 .\"O \fB/etc/shadow\fP).
168 ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¤¿¤¯¤µ¤ó¤Î¥Þ¥·¥ó¤òÍѤ¤¤Æ¤ª¤ê¡¢
169 ¤½¤ì¤é¤ËÂФ·¤Æ°ì·²¤Î¥æ¡¼¥¶Ã£¤¬¥í¥°¥¤¥ó¤¹¤ë¤è¤¦¤Ê¾ì¹ç¤Ë¤È¤Æ¤âÊØÍø¤Ç¤¢¤ë¡£
170 ¤³¤ì¤é¤Î¥æ¡¼¥¶Á´°÷¤ËÂФ¹¤ë¥¢¥«¥¦¥ó¥È¤ò³Æ¥Þ¥·¥ó¤Ë¤Ä¤¯¤ê¡¢
174 ¤òÊÔ½¸¤·¤Æ¥Ñ¥¹¥ï¡¼¥É¥Õ¥£¡¼¥ë¥É¤ò
175 \fB*\fP ¤Ë¤·¤Æ¥¢¥«¥¦¥ó¥È¤ò̵¸ú¤Ë¤·¤Æ¤ª¤¯¡£
177 .\"O Select one machine as your password server (say it is called
178 .\"O \fBpasserv.my.doma.in\fP). This machine will contain proper
179 .\"O password fields in \fB/etc/password\fP. On this machine run
180 .\"O \fBsecure-mcserv -d\fP as usual. On all other machines, run
181 .\"O \fBsecure-mcserv -d -s passerv.my.doma.in\fP
182 ¤Ò¤È¤Ä¤Î¥Þ¥·¥ó¤ò¥Ñ¥¹¥ï¡¼¥É¥µ¡¼¥Ð¤È¤·¤ÆÁªÂò¤¹¤ë (¤³¤Î¥Þ¥·¥ó¤ò²¾¤Ë
183 .B passerv.my.doma.in
184 ¤È¤·¤è¤¦)¡£¤³¤Î¥Þ¥·¥ó¤Î
186 ¤Î¥Ñ¥¹¥ï¡¼¥É¥Õ¥£¡¼¥ë¥É¤Ë¤Ï¡¢Àµ¤·¤¤¥Ñ¥¹¥ï¡¼¥É¤òÆþ¤ì¤Æ¤ª¤¯¡£
187 ¤³¤Î¥Þ¥·¥ó¤Ç¡¢Ä̾ï¤Î¤è¤¦¤Ë
189 ¤òµ¯Æ°¤¹¤ë¡£Â¾¤ÎÁ´¤Æ¤Î¥Þ¥·¥ó¤Ç¤Ï¡¢
190 .B secure-mcserv -d -s passerv.my.doma.in
193 .\"O Because all intermediate connections use the same encrypted TCP
194 .\"O stream, and are all equally secure, you can use this method even
195 .\"O if \fBpasserv.my.doma.in\fP is across the open internet. In fact
196 .\"O the very method to authenticate against the password server is
197 .\"O to check the exit status of the command:
198 ¤³¤ì¤é¤Î´Ö¤ÎÀܳ¤Ï¡¢Á´¤ÆÅù¤·¤¯°Å¹æ²½¤µ¤ì¤¿ TCP ¥¹¥È¥ê¡¼¥à¤È¤Ê¤ë¤Î¤Ç¡¢
199 ¤³¤ì¤é¤Ï¤¹¤Ù¤ÆƱ¤¸¤è¤¦¤Ë°ÂÁ´¤Ç¤¢¤ë¡£¤³¤ÎÊýË¡¤Ï
200 .B passerv.my.doma.in
201 ¤¬¥¤¥ó¥¿¡¼¥Í¥Ã¥È¤Î¸þ¤³¤¦¤Ë¤¢¤ë¤è¤¦¤Ê¾ì¹ç¤Ë¤Ç¤âÍøÍѤǤ¤ë¡£
202 ¼ÂºÝ¡¢¥Ñ¥¹¥ï¡¼¥É¥µ¡¼¥Ð¤ËÂФ¹¤ëǧ¾Ú¤Ï¡¢
203 °Ê²¼¤Î¥³¥Þ¥ó¥É¤Î½ªÎ»¥¹¥Æ¡¼¥¿¥¹¤ò¸«¤ë¤³¤È¤Ë¤è¤Ã¤Æ¹Ô¤Ê¤ï¤ì¤Æ¤¤¤ë¡£
206 \fBpslogin\fP \fIuser\fP\fB@passerv.my.doma.in --test-login --read-password-from-stdin\fP
209 .\"O I also see no reason why you cannot use cascading password
210 .\"O servers, although there is no advantage to doing this.
211 ¤Þ¤¿¡¢¥Ñ¥¹¥ï¡¼¥É¥µ¡¼¥Ð¤Î¥«¥¹¥±¡¼¥É¤òÍøÍѤ¹¤ë¤³¤È¤âÉÔ²Äǽ¤Ç¤Ï̵¤¤¤Ï¤º¤À¡£
212 ¤³¤¦¤¹¤ë¤³¤È¤Ë¤Ï²¿¤ÎÍøÅÀ¤â̵¤¤¤±¤ì¤É¡£
214 .\"O Each authentication takes the same time to execute, so using a
215 .\"O password server takes twice as long as a normal login, because
216 .\"O of the second connection it has to make to the password server.
217 .\"O Cascades will take that much time extra for each successive
218 .\"O password server.
219 ¤½¤ì¤¾¤ì¤Îǧ¾Ú¤Ï¡¢¼Â¹Ô¤ËƱ¤¸»þ´Ö¤òɬÍפȤ¹¤ë¡£
220 ¤è¤Ã¤Æ¥Ñ¥¹¥ï¡¼¥É¥µ¡¼¥Ð¤òÍѤ¤¤ë¤È¡¢
221 2 ¤Ä¤á¤ÎÀܳ¤¬¥Ñ¥¹¥ï¡¼¥É¥µ¡¼¥Ð¤Ë¤Ê¤µ¤ì¤ë¤¿¤á¡¢
222 Ä̾ï¤Î¥í¥°¥¤¥ó¤Î 2 Çܤλþ´Ö¤¬¤«¤«¤ë¡£
223 ¥«¥¹¥±¡¼¥É¤Ë¤¹¤ë¤È¡¢³Æ¥Ñ¥¹¥ï¡¼¥É¥µ¡¼¥Ð¤´¤È¤Ë¡¢
224 ¤â¤Ã¤È;·×¤Ê»þ´Ö¤¬¤«¤«¤ë¡£
228 .\"O Does not log to syslog.
229 syslog ¤Ë¥í¥°½ÐÎϤ·¤Ê¤¤¡£
231 .\"O Midnight Commander vfs has a bug that device files are always
232 .\"O major:minor of 0:0. This bug is fixed in this implementation.
233 .\"O Don't use the Midnight Commander to transfer device files. By
234 .\"O the time you read this, the latest Midnight Commander may have
236 Midnight Commander vfs ¤Ë¤Ï¥Ð¥°¤¬¤¢¤ê¡¢
237 ¥Ç¥Ð¥¤¥¹¥Õ¥¡¥¤¥ë¤Ï¾ï¤Ë ¥á¥¸¥ã¡¼ÈÖ¹æ:¥Þ¥¤¥Ê¡¼ÈÖ¹æ ¤¬ 0:0 ¤È¤Ê¤ë¡£
238 ¤³¤Î¥Ð¥°¤Ï¡¢¤³¤Î¼ÂÁõ¤Ç¤Ï½¤Àµ¤µ¤ì¤Æ¤¤¤ë¡£
239 ¥Ç¥Ð¥¤¥¹¥Õ¥¡¥¤¥ë¤ÎžÁ÷¤Ë Midnight Commander ¤òÍѤ¤¤Æ¤Ï¤¤¤±¤Ê¤¤¡£
240 ¤¿¤À¤·¤³¤ì¤ò¤¢¤Ê¤¿¤¬Æɤó¤À»þÅÀ¤ÎºÇ¿·ÈǤΠMidnight Commander ¤Ç¤Ï¡¢
241 ¤³¤ÎÌäÂê¤Ï½¤Àµ¤µ¤ì¤Æ¤¤¤ë¤«¤â¤·¤ì¤Ê¤¤¡£
243 .\"O The special escape characters for suspending an \fBrlogin\fP session are
244 .\"O not recognised. Hence programs like \fBscreen\fP (?) will not work. I
245 .\"O will add this functionality if users request it. Currently, ^Z etc. do
246 .\"O not have any effect.
248 ¥»¥Ã¥·¥ç¥ó¤ò¥µ¥¹¥Ú¥ó¥É¤¹¤ëÆüì¤Ê¥¨¥¹¥±¡¼¥×ʸ»ú¤Ïǧ¼±¤·¤Ê¤¤¡£
251 (?) ¤Î¤è¤¦¤Ê¥³¥Þ¥ó¥É¤ÏÆ°ºî¤·¤Ê¤¤¡£
252 ¤â¤·¥æ¡¼¥¶¤«¤é¤ÎÍ×˾¤¬¤¢¤ì¤Ð¡¢¤³¤Îµ¡Ç½¤ÏÄɲ乤ë¤Ä¤â¤ê¤À¡£
253 ¸½ºß¤Î¤È¤³¤í¡¢^Z ¤Ê¤É¤Ï¸úÎϤò»ý¤¿¤Ê¤¤¡£
257 .\"O See \fBmirrordir\fP(1).
263 .\"O None. See \fBBUGS\fP.
268 .\"O .SH AVAILABILITY
270 .\"O The latest version of the program can be found at either
271 .\"O \fBftp://sunsite.unc.edu/pub/Linux/system/backup\fP,
272 .\"O \fBftp://lava.obsidian.co.za/pub/linux/mirrordir\fP, or
273 .\"O \fBftp://obsidian.co.za/pub/linux/mirrordir\fP.
274 ¤³¤Î¥×¥í¥°¥é¥à¤ÎºÇ¿·ÈǤϡ¢
275 \fBftp://metalab.unc.edu/pub/Linux/system/backup\fP,
276 \fBftp://lava.obsidian.co.za/pub/linux/mirrordir\fP,
277 \fBftp://obsidian.co.za/pub/linux/mirrordir\fP
278 ¤Î¤¤¤º¤ì¤«¤«¤éÆþ¼ê¤Ç¤¤ë¡£
281 Paul Sheer <psheer@obsidian.co.za> <psheer@icon.co.za>
284 \fBmirrordir\fP(1), \fBssh\fP(1), \fBmcserv\fP(1), \fBmc\fP(1)