spiped - secure pipe daemon
spiped {-e | -d} -s <source socket> -t <target
socket> -k <key file>
[-DFj] [-f | -g] [-n <max # connections>] [-o <connection
timeout>]
[-p <pidfile>] [-r <rtime> | -R] [--syslog]
[-u <username> | <:groupname> | <username:groupname>]
spiped -v
- -e
- Take unencrypted connections from the source socket and send
encrypted connections to the target socket.
- -d
- Take encrypted connections from the source socket and send
unencrypted connections to the target socket.
- -s <source
socket>
- Address on which spiped should listen for incoming connections. The
accepted formats are the same as the ones accepted by target
socket. Note that contrary to target socket hostnames are
resolved when spiped is launched and are not re-resolved later;
thus if DNS entries change spiped will continue to accept
connections at the expired address.
- -t <target
socket>
- Address to which spiped should connect. Must be in one of the
following formats:
- /absolute/path/to/unix/socket
- host.name:port
- [ip.v4.ad.dr]:port
- [ipv6::addr]:port
- Hostnames are re-resolved every rtime seconds.
- -k <key file>
- Use the provided key file to authenticate and encrypt. Pass "-"
to read from standard input.
- -D
- Wait for DNS. Normally when spiped is launched it resolves
addresses and binds to its source socket before the parent process
returns; with this option it will daemonize first and retry failed DNS
lookups until they succeed. This allows spiped to launch even if
DNS isn't set up yet, but at the expense of losing the guarantee that once
spiped has finished launching it will be ready to create
pipes.
- -f
- Use fast/weak handshaking: This reduces the CPU time spent in the initial
connection setup by disabling the Diffie-Hellman handshake, at the expense
of losing perfect forward secrecy.
- -g
- Require perfect forward secrecy by dropping connections if the other host
is using the -f option.
- -F
- Run in foreground. This can be useful with systems like daemontools.
- -j
- Disable transport layer keep-alives. (By default they are enabled.)
- -n <max #
connections>
- Limit on the number of simultaneous connections allowed. A value of 0
indicates that no limit should be imposed; this may be inadvisable in some
circumstances, since spiped will terminate if it fails to allocate
memory for handling a new connection. Defaults to 100 connections.
- -o <connection
timeout>
- Timeout, in seconds, after which an attempt to connect to the target or a
protocol handshake will be aborted (and the connection dropped) if not
completed. Defaults to 5s.
- -p <pidfile>
- File to which spiped's process ID should be written. Defaults to
source socket.pid (in the current directory if source socket
is not an absolute path). No file will be written if -F (run in
foreground) is used.
- -r <rtime>
- Re-resolve the address of target socket every rtime seconds.
Defaults to re-resolution every 60 seconds.
- -R
- Disable target address re-resolution.
- --syslog
- After daemonizing, send warnings to syslog instead of stderr. Has no
effect if -F (run in foreground) is used.
- -u <username> |
<:groupname> | <username:groupname>
- After binding a socket, change the user to username and/or the
group to groupname.
- -v
- Print version number.
spiped provides special treatment of the following signals:
- SIGTERM
- On receipt of the SIGTERM signal spiped will stop accepting
new connections and exit once there are no active connections left.