Firewall Wizards mailing list archives
RE: anonymous telnet
From: hermit1 <hermits () mac com>
Date: Fri, 14 Sep 2001 12:27:51 -0700
I have received a number of responses, and as often happens, they go beyond my needs into sensible approaches. In this case, the client has to be any generic telnet client a user might have. No lynx, no ssh, no knowledge of who any user might be and no way they could be given programs to run. I didn't approve the requirements, I just have to live with them. The data is not sensitive, it is supposed to be accessible by anyone anywhere. Telnet is to be an alternative access method for those who can't use a web browser.
To summarize my understanding of the usable responses:1. Safest is to have the application listen on port 23, either as a daemon or via inetd, and handle its own telnet negotiations.
2. Second choice is to have the application run in place of a user shell.3. Restricted shell would help a little if I can ensure the user's PATH has no directories other than the current one, since the user couldn't do a cd.
Either way, try to have the perl script be written to be as safe as possible. Many thanks to the people who gave specific suggestions for this.
hermit1
On Tue, 11 Sep 2001, hermit1 wrote: I have been asked for advice on how to do anonymous telnet to a server here; the client could be anywhere. There is a need to provide access from character-only terminals. Upon establishing the telnet session, a perl script is supposed to run automatically. No, they didn't explain how they expect a perl script to run without a user ID. The perl script will accept strings of text and create queries to run against another system. After I got over my bout of speechlessness I tried to explain why it isn't feasible. Here are the major points I have. Comments on any or all of this is welcome, corrections especially welcome. I refuse to customize the telnetd binary, the only way I know of to eliminate the need for a user ID. I suspect changing some PAM configuration might do it, but I don't want to try that, either. If I use the perl script instead of the shell in /etc/passwd, any successful attempt to break out of the script into a shell should instead log the user off the computer. Is there a known way to break this? Unless the strings accepted by the perl script are very carefully validated, I assume that escape characters would allow the user to issue system commands. I like the idea of rback from trusted solaris, but the system is Solaris 7, not 8. Restricted shell would probably help, but I know little about it. I would prefer that the developers would create their own telnet server combined with the perl script, and I could have this run out of inetd on port 23. I don't think altering one of the open source telnet servers to [1. not require a login, and 2. automatically pass all input to the perl script] would be difficult, and it is probably the safest way to meet their goal. Comments? Laughter? Thanks hermit1
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- anonymous telnet hermit1 (Sep 12)
- Re: anonymous telnet Patrick Darden (Sep 13)
- Re: anonymous telnet R. DuFresne (Sep 13)
- RE: anonymous telnet Kendall Risselada (Sep 17)
- RE: anonymous telnet hermit1 (Sep 17)
- RE: anonymous telnet Kendall Risselada (Sep 17)
- Re: anonymous telnet James W. Abendschan (Sep 13)