Securely allowing just one application via telnet
Danny Howard
dannyman at toldme.com
Tue Apr 5 10:46:07 PDT 2005
Anthony,
"Securely" and "telnet" is an oxymoron. This is mainly because any
data, including passwords, sent through a non-encrypted connection, can
be sniffed by anyone who can access any of the intervening networks.
Your question is really very open-ended and vague. The correct question
may be "I need to facilitate FOO." and then go about solving that. When
you ask "I need to do something with telnet," I am inclined to say "I
bet you are asking the wrong question."
One (easier) way is to use a traditional login shell and set the config
file to pass execution to your application. For example, if the user is
set to use csh, you can put "exec fooprog" in his .login. An advantage
of this is that you can set environment variables and stuff before
handing execution to this application. If you do this, and you can not
trust your user (he's using telnet, so his password is easy to steal,)
then you want to look at how your development system handles signals.
You don't want him sending some clever signal to your system that lets
them sneak out in to something else.
That said, if you set a user's shell (See /etc/master.passwd and the
excellent pw program,) to your executable, then that is the program that
will be executed as the user's login shell.
(I once set up a user on my system to launch freeciv on the remote
terminal so some friends and I could play this game in my dorm
laboratory from the workstation in my dorm room. I think I just set the
shell init file to "exec freeciv" and disabled the user when we weren't
playing games. :)
Another way is to put the program in inetd.conf ... you just telnet to
some port, and things happen. This is like putting the program in as
the user shell, but there are fewer insecure layers (telnet tends to
have security advisories crop up) but you wont have telnet asking for a
password for you.
Anyway, good luck.
Sincerely,
-danny
--
http://dannyman.toldme.com/
More information about the freebsd-questions
mailing list