1. General information
2. Step-by-step example, two terminals in the same Proxy32 workspace share the same session via TELNET
    2.1. Step 1
    2.2. Step 2
    2.3. Step 3
    2.4. Step 4
    2.5. Step 5
    2.6. Step 6

3. Step-by-step example, two terminals in the same Proxy32 workspace share the same session via TELNET-TLS
    3.1. Step 1: Prepare shared terminal session window and turn on TLS for TELNET sharing
    3.2. Step 2: Prepare TERMINAL Launcher with information needed to connect to shared terminal session window
    3.3. Step 3: DoubleClick on TELNET-TERMINAL Launcher to connect to shared terminal session window
    3.4. Step 4: Typing commands from new terminal window into to shared terminal session window via TLS-telnet connection
    3.5. Step 5: Disconnecting new terminal window from shared terminal session window

1. General information

Often the whole team of people working on different computers and even from different locations should share single terminal session. Shared session means all team is typing on "remotely-shared" keyboard (one at the time) and viewing "remotely-shared" screen with output of remote host (simultaneously). This "shared" Proxy32 terminal session can be login session to remote host or session of local Proxy32 terminal CYGWIN bash shell activities.

Fig.1. Terminal Session Sharing

When such "sharing" may be needed:

Coaching More experienced members of the team have to couch/teach colleagues and help them remotely.
Only single login session is available for many people Remote host allows only one single login session but many people should perform their part of work with remote host (one at the time as this is the same terminal session).
Execute legacy scripts from another terminal software User has to use different terminal software to work with the same terminal session. Say, user works most of the time in Proxy32 terminal session but still has to run legacy scripts written long time ago for another automated terminal. Examples: Expect script to interact with remote host over telnet in Xterm, TeraTerm script, SecureCRT script, AbsoluteTelnet script, etc. If user does not want to convert/adapt those legacy scripts to use them in Proxy32 terminal there is another way to execute them into existing Proxy32 terminal session. Another terminal (the one that can run legacy script) can be temporarily connected to Proxy32 terminal session (via Proxy32 terminal session sharing port) to execute it's own legacy script into this existing Proxy32 session. Then another terminal is disconnected from the session and user continues to work with the same session in Proxy32 terminal.

Every Proxy32 terminal window has built-in TELNET/TLS server and one "serving/listening" COM-PORT to share existing terminal session with remote users. Remote users connect via TELNET, TELNET/TLS or Serial protocol to Proxy32 terminal to receive copy of the output from remote host and to be able to type commands into shared terminal session. One user at the time can type commands to the remote host (shared session means shared keyboard and shared screen), otherwise remote host will be confused. Local User at the Proxy32 terminal can switch Remote users into "read only" mode when they will receive output from remote host but they cannot type commands to the host.

TELNET server: Unlimited number of remote users (telnet clients). No authentication, no encryption. Remote user needs to know only "sharing" TCP port number to connect to Proxy32 terminal session. But the port number is random by default, so Local User has to supply this information to Remote User before Remote User can connect to the terminal of Local User.
TELNET/TLS server (TELNET protocol over Transport Layer Security protocol): Unlimited number of remote users (telnet/TLS clients). Certificate authentication (server only or both server and client). Encryption is implemented by Microsoft Windows SCHANNEL library (that is also used for TLS part of HTTPS by MS Internet Explorer). Remote user initially needs to know "sharing" TCP port number to connect to Proxy32 terminal session. After TCP connection is established, both parties will validate each other's certificates (digital IDs) and (if validation is successful) proceed to cipher negotiation. When Cipher is negotiated, encryption starts and then TELNET connection is established inside of already encrypted TLS/TCP pipe.
Serial (COM-PORT): One remote user (serial Terminal). No authentication, no encryption. Remote user needs to know only "sharing" COM-PORT number and settings to connect to Proxy32 terminal session. Useful to connect over Bluetooth COM-PORT link to share Terminal session between two computers that are IP-isolated by firewalls or by infrastructure.

2.1. Step 1

Create terminal and connect it to remote equipment. This is terminal session that will be shared.

Fig.2 Terminal of the shared session (above) and terminal that will be used to connect to shared session (below) are both ready to use.

2.2. Step 2

Obtain information that remote users will need to connect to the shared session (to the terminal created on Step 1). Shared session owner should open drop-down list (reference 10) in the shared terminal and select desired item in this list.

This drop-down list contains information how to connect to this terminal window to share its session

Text of the selected item is copied to clipboard to make it easy to paste it into text message or e-mail and send this info to the remote user who will use this info to connect to the shared session. Content of the list has 3 parts separated by horizontal lines. Upper part contains TCP port number that should be used to connect to the shared session (each shared session - aka terminal window - has its own unique port number). Middle part of the list contains list of the IP addresses which can be used to connect to the shared session. Bottom part of the list contains all possible combinations "protocol/IP-address/port" that can be used to connect to the shared session. Protocol can be either TELNET or TELNET-TLS depending on the state of the button "TLS on/off" (reference 9).

This button toggles TLS mode

List of IP addresses can contain single IP address 127.0.0.1 if option "TSS Server listens only on loopback IP" is turned on in the terminal menu "Control/Sharing Terminal Session with other users/TELNET/TLS SERVER". Drop-down list contains information about different combinations so that owner of the shared session can choose which list element he/she wants to copy to clipboard for sending to remote user. List content is refreshed every time when it is opened. Next time drop-down list is opened, list of IP addresses or protocol may be different if configuration of the terminal or the computer has changed. User also has to make sure that option "TSS Server denies new connections" in terminal menu is not enabled. When TELNET-TLS is used for terminal session sharing, it may be necessary to set parameters for TLS protocol, including selection of the certificate that will be used to authenticate session sharing connection.

Fig.3 Owner of the shared session copies to clipboard (by selecting it from the drop-down list) line "telnet belous-PC 64382" that is needed for connection to the shared session .

Telnet server in each terminal window is using its own unique TCP port number in order to receive connection requests coming from telnet terminals of the remote users. Therefore, by choosing connection port number remote user can choose to which terminal window of the main user he/she will be connected.

By default, in Proxy32 when the new terminal window is created TCP port number for the built-in telnet server is selected from the list of available ports that is kept in the system. If several windows of the built-in terminal created one by one then TCP port numbers for those windows may happen to be sequential. When window of the built-in terminal is closed, TCP port number that is used by this window is freed and later can be assigned to one of the newly created windows. By default, user doesn’t have control over the port numbers assigned to the newly created terminal windows. When telnet server is located behind the firewall user can choose an option when every newly created window will try to use the same fixed initial port number, for example, 1300. If this port number is available, it will be used and if it is already assigned then window will try to use next port number, 1301. This process will continue by increasing port number by one every time until available port will be found and used. Next created terminal window will use the same algorithm for the port number selection. As a result, all newly created terminal windows will have port numbers in the range 1300 and above assuming that this port range is available in the system. User can turn on and off this port selection algorithm. Also, user can choose initial port number that is set by default to 1300. Those settings are located in the menu “Settings/Initial Terminal Settings/Terminal Session Sharing” in the LauncherTree window. Default value of the initial port number is selected for Windows XP. If Proxy32 is running on the other Windows operational systems initial port number may have to be corrected, so that its value will get into the range of the free ports that are available for use in this particular Windows operational system. If Proxy32 is running behind the firewall port range that is used by the built-in terminal windows (in our example this is the port range starting from 1300 and above) has to be open in the firewall to let remote users connect to the terminal windows.

2.3. Step 3

Remote user connects to shared session using information received from the owner of the shared session. If remote user received from the owner of the shared session line "telnet belous-PC 64382", that is copied from the drop-down list in the shared terminal, then he/she can paste this line into his/her bash terminal and press "Enter" key to connect to shared session. When TELNET-TLS is used for terminal session sharing, it may be necessary to set parameters for TLS protocol, including selection of the certificate that will be used to authenticate session sharing connection.

Fig.4 Remote user pastes line "telnet belous-PC 64382", that is needed to connect to the shared session, at the bash prompt ("Enter" key is not yet pressed).

2.4. Step 4

Owner of the shared session is notified when remote user has connected to the shared session. This information appears as the message in the window of the shared terminal. In addition, list of all remote users connected to the shared session is contained in the drop-down list (reference 11) in the lower part of the window of the shared terminal.

This drop-down list conains list of remote users with whom this terminal session is shared

Fig.5. By pressing "Enter" key remote user has connected to shared session and owner of the shared session is notified when remote user has connected to the shared session.

2.5. Step 5

Owner of the shared session and remote user connected to the shared session can type commands in turn into the shared session. Command execution results are printed simultaneously into both terminals.

Fig.6. Owner of the shared session or remote user connected to the shared session has typed "pwd" command at the prompt of the shared session and received printout of command execution results into both terminals.

2.6. Step 6

Remote user disconnects from the shared session by disconnecting his/her terminal (for example, by pressing "Ctrl-]", and then typing "quit" at the "telnet>" prompt). Owner of the shared session is notified when remote user has disconnected from the shared session. This information appears as the message in the window of the shared terminal. In addition, list of all remote users connected to the shared session is contained in the drop-down list (reference 11) in the lower part of the window of the shared terminal. Owner of the shared session can disconnect remote user (or prevent him/her from typing into shared session) by using commands in the terminal menu.

Fig.7. Remote user has disconnected telnet link from shared session and owner of the shared session is notified when remote user has disconnected from the shared session.

Create new terminal window and connect it to remote equipment (LeftDoubleClick on any TERMINAL Launcher on the LauncherTree). In practical situations, one, probably, would want to use existing Terminal session window that is already connected to some real remote equipment. In this example terminal is connected to local CYGWIN bash shell (we have used SHELL-TERMINAL Launcher with command line proxycygterm.exe -s '/usr/bin/bash -i -l'). This is terminal session (terminal window) that will be shared.
For convenience (it is not required, but helpful for our example) change shell prompt (to shared session prompt>) to identify shared terminal session easier (in our case we are sharing local CYGWIN bash shell session, so we can change shell prompt). Our goal is to be able to type to this prompt from another terminal window that is connected to shared terminal window via TELNET-TLS connection.
Toggle TLS mode on (click on the second from the right terminal button - it will show "closed lock" picture when TLS mode is on)
Extract info (ip/port) needed to connect to the shared session by opening drop-down list next to the button that shows "closed lock" picture. In our case we can use local loopback IP=127.0.0.1 (as both shared window and window that connects to shared window will be both running on the same PC) and port is 49282.

3.2. Step 2: Prepare TERMINAL Launcher with information needed to connect to shared terminal session window

RightClick on the empty space in LauncherTree window (in the Tree section) and select Add Launcher to the Tree/Add TELNET-TERMINAL Launcher from the RightClick popup menu. You will see TELNET-TERMINAL Launcher Edit dialog window.
In the TELNET-TERMINAL Launcher Edit dialog window insert IP address = 127.0.0.1, port = 49282 and select check mark Use TLS+Telnet
Click OK button to close TELNET-TERMINAL Launcher Edit dialog window and create TELNET-TERMINAL Launcher.

TELNET-TERMINAL Launcher Edit dialog window - populated according to our requirements

TELNET-TERMINAL Launcher that was created (appended at the bottom of LauncherTree) after closing TELNET-TERMINAL Launcher Edit dialog window

3.3. Step 3: DoubleClick on TELNET-TERMINAL Launcher to connect to shared terminal session window

DoubleClick on TELNET-TERMINAL Launcher. You will see new terminal window created and connected to existing shared terminal session window via TLS-TELNET handshake.
TLS-TELNET server in the shared window reports parameters of the new TLS connection and (because this TLS-TELNET handshake/connection has succeeded) this report is also visible in the new terminal window that is connected to shared window via TLS-TELNET.


========================================
PROXYTERM: Client is Connected
========================================
TLS:127.0.0.1/49296 Local = 127.0.0.1/49282
========================================

===========================================
New TLS Split_IP client started TLS handshake
===========================================
TLS_Server: Protocol: TLS1.0
TLS_Server: Cipher: AES
TLS_Server: Cipher strength: 128
TLS_Server: Hash: SHA1
TLS_Server: Hash strength: 160
TLS_Server: Key exchange: RSA
TLS_Server: Key exchange strength: 2048

===========================================
New TLS Split_IP client finished TLS handshake
===========================================

New Terminal window (on the bottom) is connected to shared session (on the top) via TLS-Telnet handshake after DoubleClick on TELNET-TERMINAL Launcher

Default settings for Windows Vista are TLS1.0 (Win7+ uses TLS1.2 by default) and AES128/SHA1. Default setting for proxy32 TLS server is to generate self-signed temporary RSA certificate with key length 2048 on every start of proxy32. This certificate is used for TLS key exchange. But this certificate cannot be used for TLS authentication as it is self-signed. So in this case no authentication is taking place (which makes such TLS handshake vulnerable to man-in-the-middle-attack as in the case of regular use of ssh). Temporary RSA certificate keys and temporary session keys for AES128 are generated by default windows libraries using default cryptograpic provider (and by its default random number generator) that is installed on particular version of Windows where proxy32 is running.
Information about new TLS-Telnet client is added to drop-down list in shared terminal window.

Information about new TLS-Telnet client is added to drop-down list in shared terminal window

3.4. Step 4: Typing commands from new terminal window into to shared terminal session window via TLS-telnet connection

One can type commands either from top or from bottom terminal window
Terminal output appears in both terminal windows.
Drop down list of connected clients in shared terminal window shows which of the connected clients is typing at any given moment.
Communication between two windows is done via TLS-TELNET connection. In practical situations, first terminal window (top) may belong to Tier 1 support engineer and the second terminal window (bottom) may belong to Tier 2 support engineer and they can be located in different countries.

Typing commands from new terminal window into to shared terminal session window via TLS-telnet connection

3.5. Step 5: Disconnecting new terminal window from shared terminal session window

By closing bottom terminal window its owner will disconnect from shared terminal session (top window).
TLS-TELNET sharing server will report about disconnect in the shared terminal window.


===========================================
Shutting down TLS encrypted pipe from our TLS_Server side
===========================================





========================================
PROXYTERM: Client is Disconnected
========================================
TLS:127.0.0.1/49296 Local = 127.0.0.1/49282
========================================

Report in shared window after client (bottom window) was disconnected by closing its window

If owner of the shared window wants to stop sharing his terminal session, he/she can select Control/Sharing Terminal Session with other users/TELNET/TLS SERVER/Disconnect all clients or Control/Sharing Terminal Session with other users/TELNET/TLS SERVER/Disconnect selected client from terminal menu. Second option disconnects client selected in the drop-down list of connected clients. Such client can aslo be put in read-only mode (cannot type but will see terminal output) by selecting Control/Sharing Terminal Session with other users/TELNET/TLS SERVER/Flip ReadOnly mode for selected client from terminal menu.

Terminal menu commands that can be used in sharing window to disconnect clients connected to sharing window

Index

Terminal Session Sharing

Sergey A. Belous

October 2nd 2016