Date: Tue, 05 Apr 2005 12:51:34 -0500 From: Chris <racerx@makeworld.com> To: Danny Howard <dannyman@toldme.com> Cc: freebsd-questions@freebsd.org Subject: Re: Securely allowing just one application via telnet Message-ID: <4252D026.40703@makeworld.com> In-Reply-To: <4252CED8.8030802@toldme.com> References: <1183736361.20050405031743@wanadoo.fr> <4252CED8.8030802@toldme.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Danny Howard wrote: > Anthony, > > "Securely" and "telnet" is an oxymoron. This is mainly because any > data, including passwords, sent through a non-encrypted connection, > can be sniffed by anyone who can access any of the intervening > networks. Your question is really very open-ended and vague. The > correct question may be "I need to facilitate FOO." and then go about > solving that. When you ask "I need to do something with telnet," I am > inclined to say "I bet you are asking the wrong question." > > One (easier) way is to use a traditional login shell and set the > config file to pass execution to your application. For example, if > the user is set to use csh, you can put "exec fooprog" in his .login. > An advantage of this is that you can set environment variables and > stuff before handing execution to this application. If you do this, > and you can not trust your user (he's using telnet, so his password is > easy to steal,) then you want to look at how your development system > handles signals. You don't want him sending some clever signal to > your system that lets them sneak out in to something else. > > That said, if you set a user's shell (See /etc/master.passwd and the > excellent pw program,) to your executable, then that is the program > that will be executed as the user's login shell. > (I once set up a user on my system to launch freeciv on the remote > terminal so some friends and I could play this game in my dorm > laboratory from the workstation in my dorm room. I think I just set > the shell init file to "exec freeciv" and disabled the user when we > weren't playing games. :) > > Another way is to put the program in inetd.conf ... you just telnet to > some port, and things happen. This is like putting the program in as > the user shell, but there are fewer insecure layers (telnet tends to > have security advisories crop up) but you wont have telnet asking for > a password for you. > > Anyway, good luck. > > Sincerely, > -danny > Also keep in mind that starting an SSH tunnel can allow you to do many things also. One that comes to mind (and I think the handbook explains it) is mail. Setting up routines that make use of an SSH tunnel is not hard to do. Best regards, Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4252D026.40703>