From owner-freebsd-questions Fri Jun 18 14:51:28 1999 Delivered-To: freebsd-questions@freebsd.org Received: from ns.clientlogic.com (ns.clientlogic.com [207.51.66.75]) by hub.freebsd.org (Postfix) with ESMTP id 4C3D214D52 for ; Fri, 18 Jun 1999 14:51:25 -0700 (PDT) (envelope-from ChrisMic@clientlogic.com) Received: by site0s1 with Internet Mail Service (5.5.2448.0) id ; Fri, 18 Jun 1999 17:51:25 -0400 Message-ID: <6C37EE640B78D2118D2F00A0C90FCB44011059CC@site2s1> From: Christopher Michaels To: 'Ken McGlothlen' , questions@FreeBSD.ORG Subject: RE: Trying to use telnetd. Date: Fri, 18 Jun 1999 17:53:12 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Almost correct... lose the -debug 8080 tho. The whole purpose of specifying the port in inetd.conf is so it knows what port to run the daemon on. So it should be... goomba stream tcp nowait root /usr/libexec/telnetd telnetd Now!, if security is an issue, install ssh, and force your friend to use ssh instead. Also (of course) make sure that you don't have any passwordless accounts, although there is an option in ssh to deny login for passwordless accounts. OR, you could configure telnetd with tcpwrappers and only allow telnets from his host. OR, you could setup ipfw or ipfilter and deny all traffic on port 8080 except from his host. So you see, you have several different way to approach this issue. -Chris > -----Original Message----- > From: Ken McGlothlen [SMTP:mcglk@serv.net] > Sent: Friday, June 18, 1999 5:43 PM > To: questions@FreeBSD.ORG > Subject: Re: Trying to use telnetd. > > dwhite@resnet.uoregon.edu (Doug White) writes: > > | mcglk@serv.net (that's me) writes: > | > Under 2.2.1-RELEASE [...], all he had to do was call me up, I'd su to > root > | > and run > | > > | > /usr/libexec/telnetd -debug 8080 > | > > | > and then he'd telnet to my machine, port 8080, and be on. Even > better, it > | > turned out that only one login was permitted at the port, so it was a > | > fairly nice on-demand moderately secure way of getting him in. > | > > | > Unfortunately, this no longer seems to work. What happens is that > when I > | > set up the telnetd, this happens at the login: > | > > | > $ telnet localhost 8080 > | > > | > FreeBSD/i386 (unka.dunka.doo) (ttypi) > | > > | > login: -h option: Operation not permitted > | > | Note that login is a actual program; see login(1). > | > | I'm guessing that root-ness is getting eaten by telnetd. Or something. > | > | Why not just drop this into inetd.conf? > > First, sorry for the long excerpt. > > The reason I don't want to drop this into inetd.conf is that I don't want > to > leave this port open all the time for telnet access; just as an on-demand > sort > of thing. But if that's not possible . . . let's explore this a bit. > > So what I'd have to do, if I were pursuing this, would be to add the > following > to /etc/services > > goomba 8080/tcp # Special firewall login spigot > goomba 8080/udp > > and then the following to /etc/inetd.conf > > goomba stream tcp nowait root /usr/libexec/telnetd telnetd -debug > 8080 > > Would that be correct? > > | I'm guessing login is checking the uid and not the euid of the process. > It > | notices that the uid is yours (as a user) and pukes. It might work if > you > | log in as root (not su) and then run it. > > Hm. That would require opening up a bunch of terminals in /etc/ttys. Not > sure > I really want to do that. Maybe if I could log into a *specific* > terminal, but > I don't know how to do that. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message