From owner-freebsd-questions@FreeBSD.ORG Tue Apr 5 17:51:55 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EC9516A4CE for ; Tue, 5 Apr 2005 17:51:55 +0000 (GMT) Received: from makeworld.com (makeworld.com [216.201.118.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id E821943D1F for ; Tue, 5 Apr 2005 17:51:54 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from localhost (localhost.com [127.0.0.1]) by makeworld.com (Postfix) with ESMTP id 3714C60F3; Tue, 5 Apr 2005 12:51:54 -0500 (CDT) Received: from makeworld.com ([127.0.0.1]) by localhost (makeworld.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 41909-05; Tue, 5 Apr 2005 12:51:51 -0500 (CDT) Received: from [127.0.0.1] (unknown [63.117.97.221]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by makeworld.com (Postfix) with ESMTP id C9C4C60E7; Tue, 5 Apr 2005 12:51:42 -0500 (CDT) Message-ID: <4252D026.40703@makeworld.com> Date: Tue, 05 Apr 2005 12:51:34 -0500 From: Chris User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Danny Howard References: <1183736361.20050405031743@wanadoo.fr> <4252CED8.8030802@toldme.com> In-Reply-To: <4252CED8.8030802@toldme.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by ClamAV 0.75.1/amavisd-new-2.2.1 (20041222) at makeworld.com - Isn't it ironic cc: freebsd-questions@freebsd.org Subject: Re: Securely allowing just one application via telnet X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 17:51:55 -0000 Danny Howard wrote: > Anthony, > > "Securely" and "telnet" is an oxymoron. This is mainly because any > data, including passwords, sent through a non-encrypted connection, > can be sniffed by anyone who can access any of the intervening > networks. Your question is really very open-ended and vague. The > correct question may be "I need to facilitate FOO." and then go about > solving that. When you ask "I need to do something with telnet," I am > inclined to say "I bet you are asking the wrong question." > > One (easier) way is to use a traditional login shell and set the > config file to pass execution to your application. For example, if > the user is set to use csh, you can put "exec fooprog" in his .login. > An advantage of this is that you can set environment variables and > stuff before handing execution to this application. If you do this, > and you can not trust your user (he's using telnet, so his password is > easy to steal,) then you want to look at how your development system > handles signals. You don't want him sending some clever signal to > your system that lets them sneak out in to something else. > > That said, if you set a user's shell (See /etc/master.passwd and the > excellent pw program,) to your executable, then that is the program > that will be executed as the user's login shell. > (I once set up a user on my system to launch freeciv on the remote > terminal so some friends and I could play this game in my dorm > laboratory from the workstation in my dorm room. I think I just set > the shell init file to "exec freeciv" and disabled the user when we > weren't playing games. :) > > Another way is to put the program in inetd.conf ... you just telnet to > some port, and things happen. This is like putting the program in as > the user shell, but there are fewer insecure layers (telnet tends to > have security advisories crop up) but you wont have telnet asking for > a password for you. > > Anyway, good luck. > > Sincerely, > -danny > Also keep in mind that starting an SSH tunnel can allow you to do many things also. One that comes to mind (and I think the handbook explains it) is mail. Setting up routines that make use of an SSH tunnel is not hard to do. Best regards, Chris