From owner-freebsd-questions@FreeBSD.ORG Tue Apr 5 17:46:07 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DF1616A4CE for ; Tue, 5 Apr 2005 17:46:07 +0000 (GMT) Received: from shiva.nextrials.com (shiva.nextrials.com [64.81.74.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id A167543D4C for ; Tue, 5 Apr 2005 17:46:06 +0000 (GMT) (envelope-from dannyman@toldme.com) Received: from [192.168.1.102] (mito.sr.nextrials.com [192.168.1.102]) by shiva.nextrials.com (Postfix) with ESMTP id 4CD033C288A for ; Tue, 5 Apr 2005 10:46:06 -0700 (PDT) Message-ID: <4252CED8.8030802@toldme.com> Date: Tue, 05 Apr 2005 10:46:00 -0700 From: Danny Howard User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050328) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <1183736361.20050405031743@wanadoo.fr> In-Reply-To: <1183736361.20050405031743@wanadoo.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Securely allowing just one application via telnet X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 17:46:07 -0000 Anthony, "Securely" and "telnet" is an oxymoron. This is mainly because any data, including passwords, sent through a non-encrypted connection, can be sniffed by anyone who can access any of the intervening networks. Your question is really very open-ended and vague. The correct question may be "I need to facilitate FOO." and then go about solving that. When you ask "I need to do something with telnet," I am inclined to say "I bet you are asking the wrong question." One (easier) way is to use a traditional login shell and set the config file to pass execution to your application. For example, if the user is set to use csh, you can put "exec fooprog" in his .login. An advantage of this is that you can set environment variables and stuff before handing execution to this application. If you do this, and you can not trust your user (he's using telnet, so his password is easy to steal,) then you want to look at how your development system handles signals. You don't want him sending some clever signal to your system that lets them sneak out in to something else. That said, if you set a user's shell (See /etc/master.passwd and the excellent pw program,) to your executable, then that is the program that will be executed as the user's login shell. (I once set up a user on my system to launch freeciv on the remote terminal so some friends and I could play this game in my dorm laboratory from the workstation in my dorm room. I think I just set the shell init file to "exec freeciv" and disabled the user when we weren't playing games. :) Another way is to put the program in inetd.conf ... you just telnet to some port, and things happen. This is like putting the program in as the user shell, but there are fewer insecure layers (telnet tends to have security advisories crop up) but you wont have telnet asking for a password for you. Anyway, good luck. Sincerely, -danny -- http://dannyman.toldme.com/