Securely allowing just one application via telnet

Chris racerx at makeworld.com
Tue Apr 5 10:51:55 PDT 2005 

Danny Howard wrote:

> Anthony,
>
> "Securely" and "telnet" is an oxymoron.  This is mainly because any 
> data, including passwords, sent through a non-encrypted connection, 
> can be sniffed by anyone who can access any of the intervening 
> networks.  Your question is really very open-ended and vague.  The 
> correct question may be "I need to facilitate FOO." and then go about 
> solving that.  When you ask "I need to do something with telnet," I am 
> inclined to say "I bet you are asking the wrong question."
>
> One (easier) way is to use a traditional login shell and set the 
> config file to pass execution to your application.  For example, if 
> the user is set to use csh, you can put "exec fooprog" in his .login.  
> An advantage of this is that you can set environment variables and 
> stuff before handing execution to this application.  If you do this, 
> and you can not trust your user (he's using telnet, so his password is 
> easy to steal,) then you want to look at how your development system 
> handles signals.  You don't want him sending some clever signal to 
> your system that lets them sneak out in to something else.
>
> That said, if you set a user's shell (See /etc/master.passwd and the 
> excellent pw program,) to your executable, then that is the program 
> that will be executed as the user's login shell.
> (I once set up a user on my system to launch freeciv on the remote 
> terminal so some friends and I could play this game in my dorm 
> laboratory from the workstation in my dorm room.  I think I just set 
> the shell init file to "exec freeciv" and disabled the user when we 
> weren't playing games. :)
>
> Another way is to put the program in inetd.conf ... you just telnet to 
> some port, and things happen.  This is like putting the program in as 
> the user shell, but there are fewer insecure layers (telnet tends to 
> have security advisories crop up) but you wont have telnet asking for 
> a password for you.
>
> Anyway, good luck.
>
> Sincerely,
> -danny
>
Also keep in mind that starting an SSH tunnel can allow you to do many 
things also. One that comes to mind (and I think the handbook explains 
it) is mail. Setting up routines that make use of an SSH tunnel is not 
hard to do.

Best regards,
Chris

More information about the freebsd-questions mailing list