Date: Tue, 05 Apr 2005 12:51:34 -0500 From: Chris <racerx@makeworld.com> To: Danny Howard <dannyman@toldme.com> Cc: freebsd-questions@freebsd.org Subject: Re: Securely allowing just one application via telnet Message-ID: <4252D026.40703@makeworld.com> In-Reply-To: <4252CED8.8030802@toldme.com> References: <1183736361.20050405031743@wanadoo.fr> <4252CED8.8030802@toldme.com>
index | next in thread | previous in thread | raw e-mail
Danny Howard wrote: > Anthony, > > "Securely" and "telnet" is an oxymoron. This is mainly because any > data, including passwords, sent through a non-encrypted connection, > can be sniffed by anyone who can access any of the intervening > networks. Your question is really very open-ended and vague. The > correct question may be "I need to facilitate FOO." and then go about > solving that. When you ask "I need to do something with telnet," I am > inclined to say "I bet you are asking the wrong question." > > One (easier) way is to use a traditional login shell and set the > config file to pass execution to your application. For example, if > the user is set to use csh, you can put "exec fooprog" in his .login. > An advantage of this is that you can set environment variables and > stuff before handing execution to this application. If you do this, > and you can not trust your user (he's using telnet, so his password is > easy to steal,) then you want to look at how your development system > handles signals. You don't want him sending some clever signal to > your system that lets them sneak out in to something else. > > That said, if you set a user's shell (See /etc/master.passwd and the > excellent pw program,) to your executable, then that is the program > that will be executed as the user's login shell. > (I once set up a user on my system to launch freeciv on the remote > terminal so some friends and I could play this game in my dorm > laboratory from the workstation in my dorm room. I think I just set > the shell init file to "exec freeciv" and disabled the user when we > weren't playing games. :) > > Another way is to put the program in inetd.conf ... you just telnet to > some port, and things happen. This is like putting the program in as > the user shell, but there are fewer insecure layers (telnet tends to > have security advisories crop up) but you wont have telnet asking for > a password for you. > > Anyway, good luck. > > Sincerely, > -danny > Also keep in mind that starting an SSH tunnel can allow you to do many things also. One that comes to mind (and I think the handbook explains it) is mail. Setting up routines that make use of an SSH tunnel is not hard to do. Best regards, Chrishome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4252D026.40703>