Firewall Wizards mailing list archives
RE: anonymous telnet
From: "Kendall Risselada" <krisselada () farm9 com>
Date: Fri, 14 Sep 2001 11:55:46 -0700
And if you do use netcat and want to encrypt it, then you may try this.... http://farm9.com/content/Free_Tools/Cryptcat -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of R. DuFresne Sent: Wednesday, September 12, 2001 13:29 To: hermit1 Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] anonymous telnet If the requirement is to just push some data out the port the folks are hitting with the telnet session, then perhaps netcat or some other utility would suffice, of course, the information, since it is unencrypted, should not be sensitive in any manner. We did something like this at nortel, to supply admins with info required to keep track of systems and their current states. Not that it was the prefere way, but, it was quick and dirty. The requirement for access from the outside to anyone is a kicker though in my mind. At nortel, access was limited to other internal systems to internal systems. What are your fools trying to accomplish? Thanks, Ron DuFresne On Tue, 11 Sep 2001, hermit1 wrote:
I have been asked for advice on how to do anonymous telnet to a server here; the client could be anywhere. There is a need to provide access
from
character-only terminals. Upon establishing the telnet session, a perl script is supposed to run automatically. No, they didn't explain how they expect a perl script to run without a user ID. The perl script will accept strings of text and create queries to run against another system. After I got over my bout of speechlessness I tried to explain why it isn't feasible. Here are the major points I have. Comments on any or all of this is welcome, corrections especially welcome. I refuse to customize the telnetd binary, the only way I know of to eliminate the need for a user ID. I suspect changing some PAM configuration might do it, but I don't want to try that, either. If I use the perl script instead of the shell in /etc/passwd, any successful attempt to break out of the script into a shell should instead log the user off the computer. Is there a known way to break this? Unless the strings accepted by the perl script are very carefully validated, I assume that escape characters would allow the user to issue system commands. I like the idea of rback from trusted solaris, but the system is Solaris 7, not 8. Restricted shell would probably help, but I know little about it. I would prefer that the developers would create their own telnet server combined with the perl script, and I could have this run out of inetd on port 23. I don't think altering one of the open source telnet servers to [1. not require a login, and 2. automatically pass all input to the perl script] would be difficult, and it is probably the safest way to meet their goal. Comments? Laughter? Thanks hermit1 *************************************************** This is an email. Don't rely on anything seen here as being accurate without testing it yourself. *************************************************** _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- anonymous telnet hermit1 (Sep 12)
- Re: anonymous telnet Patrick Darden (Sep 13)
- Re: anonymous telnet R. DuFresne (Sep 13)
- RE: anonymous telnet Kendall Risselada (Sep 17)
- RE: anonymous telnet hermit1 (Sep 17)
- RE: anonymous telnet Kendall Risselada (Sep 17)
- Re: anonymous telnet James W. Abendschan (Sep 13)