Provided by: spiped_1.6.3-1_amd64 
NAME
spiped - secure pipe daemon
SYNOPSIS
spiped {-e | -d} -s <source socket> -t <target socket> -k <key file>
[-DFj] [-b <bind address>] [-f | -g] [-n <max # connections>]
[-o <connection timeout>] [-p <pidfile>] [-r <rtime> | -R] [--syslog]
[-u <username> | <:groupname> | <username:groupname>]
spiped -v
OPTIONS
-e Take unencrypted connections from the source socket and send encrypted connections to the target
socket.
-d Take encrypted connections from the source socket and send unencrypted connections to the target
socket.
-s <source socket>
Address on which spiped should listen for incoming connections. The accepted formats are the same
as the ones accepted by target socket. Note that contrary to target socket hostnames are resolved
when spiped is launched and are not re-resolved later; thus if DNS entries change spiped will
continue to accept connections at the expired address.
-t <target socket>
Address to which spiped should connect. Must be in one of the following formats:
• /absolute/path/to/unix/socket
• host.name:port
• [ip.v4.ad.dr]:port
• [ipv6::addr]:port
Hostnames are re-resolved every rtime seconds.
-k <key file>
Use the provided key file to authenticate and encrypt. Pass "-" to read from standard input.
-b <bind address>
Bind the outgoing address. If this is a network address, the port number may either be specified
or left to the operating system. If you specify the port number, the operating system will not
permit you to open a second connection until the first one has completely expired (i.e. the TCP
state is no longer in the TIME-WAIT state).
-D Wait for DNS. Normally when spiped is launched it resolves addresses and binds to its source
socket before the parent process returns; with this option it will daemonize first and retry
failed DNS lookups until they succeed. This allows spiped to launch even if DNS isn't set up yet,
but at the expense of losing the guarantee that once spiped has finished launching it will be
ready to create pipes.
-f Use fast/weak handshaking: This reduces the CPU time spent in the initial connection setup by
disabling the Diffie-Hellman handshake, at the expense of losing perfect forward secrecy.
-g Require perfect forward secrecy by dropping connections if the other host is using the -f option.
-F Run in foreground. This can be useful with systems like daemontools.
-j Disable transport layer keep-alives. (By default they are enabled.)
-n <max # connections>
Limit on the number of simultaneous connections allowed. A value of 0 indicates that no limit
should be imposed; this may be inadvisable in some circumstances, since spiped will terminate if
it fails to allocate memory for handling a new connection. Defaults to 100 connections.
-o <connection timeout>
Timeout, in seconds, after which an attempt to connect to the target or a protocol handshake will
be aborted (and the connection dropped) if not completed. Defaults to 5s.
-p <pidfile>
File to which spiped's process ID should be written. Defaults to source socket.pid (in the
current directory if source socket is not an absolute path). No file will be written if -F (run
in foreground) is used.
-r <rtime>
Re-resolve the address of target socket every rtime seconds. Defaults to re-resolution every 60
seconds.
-R Disable target address re-resolution.
--syslog
After daemonizing, send warnings to syslog instead of stderr. Has no effect if -F (run in
foreground) is used.
-u <username> | <:groupname> | <username:groupname>
After binding a socket, change the user to username and/or the group to groupname.
-v Print version number.
SIGNALS
spiped provides special treatment of the following signals:
SIGTERM
On receipt of the SIGTERM signal spiped will stop accepting new connections and exit once there
are no active connections left.
SEE ALSO
spipe(1).
spiped 1.6.3 January 25, 2025 SPIPED(1)