Securely allowing just one application via telnet
racerx at makeworld.com
Tue Apr 5 10:51:55 PDT 2005
Danny Howard wrote:
> "Securely" and "telnet" is an oxymoron. This is mainly because any
> data, including passwords, sent through a non-encrypted connection,
> can be sniffed by anyone who can access any of the intervening
> networks. Your question is really very open-ended and vague. The
> correct question may be "I need to facilitate FOO." and then go about
> solving that. When you ask "I need to do something with telnet," I am
> inclined to say "I bet you are asking the wrong question."
> One (easier) way is to use a traditional login shell and set the
> config file to pass execution to your application. For example, if
> the user is set to use csh, you can put "exec fooprog" in his .login.
> An advantage of this is that you can set environment variables and
> stuff before handing execution to this application. If you do this,
> and you can not trust your user (he's using telnet, so his password is
> easy to steal,) then you want to look at how your development system
> handles signals. You don't want him sending some clever signal to
> your system that lets them sneak out in to something else.
> That said, if you set a user's shell (See /etc/master.passwd and the
> excellent pw program,) to your executable, then that is the program
> that will be executed as the user's login shell.
> (I once set up a user on my system to launch freeciv on the remote
> terminal so some friends and I could play this game in my dorm
> laboratory from the workstation in my dorm room. I think I just set
> the shell init file to "exec freeciv" and disabled the user when we
> weren't playing games. :)
> Another way is to put the program in inetd.conf ... you just telnet to
> some port, and things happen. This is like putting the program in as
> the user shell, but there are fewer insecure layers (telnet tends to
> have security advisories crop up) but you wont have telnet asking for
> a password for you.
> Anyway, good luck.
Also keep in mind that starting an SSH tunnel can allow you to do many
things also. One that comes to mind (and I think the handbook explains
it) is mail. Setting up routines that make use of an SSH tunnel is not
hard to do.
More information about the freebsd-questions