-
Notifications
You must be signed in to change notification settings - Fork 49
Remote Console
Remote console was added to TDSM in release b29. It gives access to a live, interactive stream of the server log and the ability to issue commands and receive responses. It's implemented over an unencrypted TCP channel using plain-text authentication, utilizing a subset of the telnet protocol.
Initial setup is automatic. When starting the server, if no configuration for the remote console was found, a new hashing nonce is generated and a new user "Owner" created. The password for this user is output on screen and to the log file. By default the remote console listens on port 7023, exclusively on the local interface for security reasons. You may now connect to it with any telnet client or netcat.
The entry rcon-bind-address in the server.properties file controls the address the remote console listens on, its format is: ipaddress:port. Use 0.0.0.0 to listen on all network interfaces. For this change to take effect, the program needs to be restarted.
Users are by default kept in the file rcon_logins.properties. The entries consist of name=hash pairs, where hash is a SHA-256 sum of the string "username:nonce:password" in hex format. The nonce is kept in the server properties file under the entry rcon-hash-nonce. It is autogenerated on server startup if unset, but can be set to any string. Changing it invalidates existing passwords though.
To generate a hash for a user on a unix machine, the commands echo and sha256sum can be used. Example:
echo -n "mike:rcon_423adf11:ilikeapples" | sha256sum
Alternatively an online hash calculator like this one can be used.
There is currently no command for adding users from the server console, however you can reload the contents of the logins file with:
rcon load
rcon list - list currently active remote console connections rcon cut name - cut all remote console connections authenticated as ''name'' rcon ban name - perform '''rcon cut''' and also remove the user from the logins database
Remote console can be accessed by netcat (available on some systems as nc), telnet or putty, but these programs don't provide any added convenience over standard console. Instead MUD clients may be used, as these provide additional features like an input box for commands with cut&paste and command history, and even triggers that fire and run scripts when certain lines are received.
TDSM's remote console doesn't implement the full telnet protocol and cannot handle binary data or complex telnet feature negotiation. If the connection is cut just after sending the username, try disabling telnet negotiation in your client.
It is assumed the client supports the "telnet go-ahead" command and correctly interprets the carriage return (\r) character. Clients that don't support telnet GA will show garbage characters after the login and password prompts, and after progress updates in the log; while clients that don't interpret \r may cause spamming of progress updates in the output window.
In particular clients that were found to be lacking are: kmuddy and kildclient. However these issues are minor and don't make them unusable.
For windows users MUSHClient is a free, light and featureful client. Linux users might need to live with the quirks of KMuddy or Gnome-Mud, but the convienience of an input box with history alone is worth it over a telnet client.
Since we are using an unencrypted protocol, there is a chance that an attacker might eavesdrop passwords used to login via remote console. For added security, we recommend restricting remote console to listen only on 127.0.0.1 and use an SSH tunnel for remote access.
To set up and SSH tunnel to your VPS on unix:
ssh -L:127.0.0.1:localport:127.0.0.1:remoteport user@host
where localport is an arbitrary port on your local machine, while remoteport is where the remote console is listening.
From a windows machine, you may use putty to establish an SSH tunnel.