Professional Web Applications Themes

Securely allowing just one application via telnet - FreeBSD

If I want to allow external users to log on under only one permissible username, which immediately and unconditionally executes only one program (no shell access), via telnet, what is the most secure way to set this up? I've always understood telnet to be somewhat of a Pandora's box for security, but I don't know if that applies to the protocol itself, or to telnetd, or if it just refers to the many dangers of shell access, or what. If there is a way to secure this type of access, I'd like to try it on my test server (I ...

  1. #1

    Default Securely allowing just one application via telnet

    If I want to allow external users to log on under only one permissible
    username, which immediately and unconditionally executes only one
    program (no shell access), via telnet, what is the most secure way to
    set this up? I've always understood telnet to be somewhat of a
    Pandora's box for security, but I don't know if that applies to the
    protocol itself, or to telnetd, or if it just refers to the many dangers
    of shell access, or what. If there is a way to secure this type of
    access, I'd like to try it on my test server (I won't risk the
    production server, of course), as an exercise in setting up custom
    environments.

    Any suggestions on how best to do this securely?

    If a specific user is restricted to a specific program at login (via
    /etc/passwd), is there _any_ way he can sneak out to a shell, assuming
    that the program he is forced to run does _not_ provide shellout access?

    --
    Anthony


    Anthony Guest

  2. #2

    Default Re: Securely allowing just one application via telnet

    On Tue, 5 Apr 2005, Anthony Atkielski wrote:
     

    Sure there is. If there is any possibility of a buffer overflow error in
    that one program you let your users run, or "login" for that matter.

    But, running the program as a login shell could at least minimize the
    possibilities I guess. Not that I've tried it myself. Go read about
    chroot and jail in the manpages and you'll think of something.

    /andreas

    --
    A: Because it fouls the order in which people normally read text.
    Q: Why is top-posting such a bad thing?
    A: Top-posting.
    Q: What is the most annoying thing on usenet and in e-mail?
    Andreas Guest

  3. #3

    Default Re: Securely allowing just one application via telnet

    Anthony,

    "Securely" and "telnet" is an oxymoron. This is mainly because any
    data, including passwords, sent through a non-encrypted connection, can
    be sniffed by anyone who can access any of the intervening networks.
    Your question is really very open-ended and vague. The correct question
    may be "I need to facilitate FOO." and then go about solving that. When
    you ask "I need to do something with telnet," I am inclined to say "I
    bet you are asking the wrong question."

    One (easier) way is to use a traditional login shell and set the config
    file to pass execution to your application. For example, if the user is
    set to use csh, you can put "exec fooprog" in his .login. An advantage
    of this is that you can set environment variables and stuff before
    handing execution to this application. If you do this, and you can not
    trust your user (he's using telnet, so his password is easy to steal,)
    then you want to look at how your development system handles signals.
    You don't want him sending some clever signal to your system that lets
    them sneak out in to something else.

    That said, if you set a user's shell (See /etc/master.passwd and the
    excellent pw program,) to your executable, then that is the program that
    will be executed as the user's login shell.

    (I once set up a user on my system to launch freeciv on the remote
    terminal so some friends and I could play this game in my dorm
    laboratory from the workstation in my dorm room. I think I just set the
    shell init file to "exec freeciv" and disabled the user when we weren't
    playing games. :)

    Another way is to put the program in inetd.conf ... you just telnet to
    some port, and things happen. This is like putting the program in as
    the user shell, but there are fewer insecure layers (telnet tends to
    have security advisories crop up) but you wont have telnet asking for a
    password for you.

    Anyway, good luck.

    Sincerely,
    -danny

    --
    http://dannyman.toldme.com/

    Danny Guest

  4. #4

    Default Re: Securely allowing just one application via telnet

    Danny Howard wrote:
     
    Also keep in mind that starting an SSH tunnel can allow you to do many
    things also. One that comes to mind (and I think the handbook explains
    it) is mail. Setting up routines that make use of an SSH tunnel is not
    hard to do.

    Best regards,
    Chris
    Chris Guest

Similar Threads

  1. How do you telnet from 1 host to another using Telnet Module
    By mark1.thompson45@btinternet.com in forum PERL Modules
    Replies: 5
    Last Post: December 30th, 10:13 PM
  2. Telnet Application
    By giraffe6044@gmail.com in forum Coldfusion - Advanced Techniques
    Replies: 0
    Last Post: April 1st, 05:09 AM
  3. securely access to application logs
    By kona_iron@yahoo.fr in forum Linux / Unix Administration
    Replies: 5
    Last Post: February 17th, 08:57 PM
  4. telnet localhost slow, telnet 127.0.0.1 ok
    By r.levene@lancaster.ac.uk in forum Debian
    Replies: 7
    Last Post: August 26th, 10:30 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139