From owner-freebsd-questions@FreeBSD.ORG  Tue Apr  5 01:17:45 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9A4FE16A55C
	for <freebsd-questions@freebsd.org>;
	Tue,  5 Apr 2005 01:17:45 +0000 (GMT)
Received: from smtp9.wanadoo.fr (smtp9.wanadoo.fr [193.252.22.22])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2DA6B43D2F
	for <freebsd-questions@freebsd.org>;
	Tue,  5 Apr 2005 01:17:45 +0000 (GMT)
	(envelope-from atkielski.anthony@wanadoo.fr)
Received: from me-wanadoo.net (localhost [127.0.0.1])
	by mwinf0907.wanadoo.fr (SMTP Server) with ESMTP id DBF611C00143
	for <freebsd-questions@freebsd.org>;
	Tue,  5 Apr 2005 03:17:43 +0200 (CEST)
Received: from pix.atkielski.com (ASt-Lambert-111-2-1-3.w81-50.abo.wanadoo.fr
	[81.50.80.3])
	by mwinf0907.wanadoo.fr (SMTP Server) with ESMTP id C1ED31C00151
	for <freebsd-questions@freebsd.org>;
	Tue,  5 Apr 2005 03:17:43 +0200 (CEST)
X-ME-UUID: 20050405011743794.C1ED31C00151@mwinf0907.wanadoo.fr
Date: Tue, 5 Apr 2005 03:17:43 +0200
From: Anthony Atkielski <atkielski.anthony@wanadoo.fr>
X-Priority: 3 (Normal)
Message-ID: <1183736361.20050405031743@wanadoo.fr>
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Securely allowing just one application via telnet
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: freebsd-questions@freebsd.org
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2005 01:17:45 -0000

If I want to allow external users to log on under only one permissible
username, which immediately and unconditionally executes only one
program (no shell access), via telnet, what is the most secure way to
set this up?  I've always understood telnet to be somewhat of a
Pandora's box for security, but I don't know if that applies to the
protocol itself, or to telnetd, or if it just refers to the many dangers
of shell access, or what.  If there is a way to secure this type of
access, I'd like to try it on my test server (I won't risk the
production server, of course), as an exercise in setting up custom
environments.

Any suggestions on how best to do this securely?

If a specific user is restricted to a specific program at login (via
/etc/passwd), is there _any_ way he can sneak out to a shell, assuming
that the program he is forced to run does _not_ provide shellout access?

-- 
Anthony