On Tue, Oct 08, 2002 at 12:47:32PM +0200, Kjetil Kjernsmo wrote: > Hi folks! > > I just had an idea the other, er..., night, that still seemed smart when > I woke up, so I figured I'll post it here in case it is... :-) > > The problem with e.g. telnet isn't really that it shouldn't be used for > anything, but that it shouldn't be used by somebody. It is quite OK to > use to check what the webserver responds to a particular request, for > example. But, you wouldn't want ma to use it and send her password in > cleartext.
As others have said, netcat (and netcat6 :) are better for network monkeying. Telnet has legitimate uses that you didn't mention. For example, everyone's favourite socialist institution, the public library in here in Halifax, Nova Scotia (on the scenic east coast of Canada :) has an online system that you telnet into. You can put holds on books, see when the stuff you have out is due, and do searches on the library catalogue. Very nice. It uses the telnet protocol, not just a raw TCP connection, so netcat is inadequate. It would be nice if you could use SSH for it, but you can't. I don't think they have the CPU power to handle SSH. (One of the library admins is on the local LUG mailing list, so I don't think incompetence is a problem :) > > What I did was that I changed group ownership of /usr/bin/telnet.netkit > to staff and made it executable for only root and staff. I figured, > something like that could harden-clients do too, configurable through > standard means. You might want to make a telnet group, and only add users to it once your lecture about the dangers of telnet has sunk in. (i.e. people can only use telnet once they know not to type anything sensitive into it.) Alternatively, you could replace the telnet binary with a wrapper that allows users to telnet to only a few known telnet servers that you decide to allow. Attempts to telnet to other hosts would have the wrapper give a lecture about the insecurity of telnet :) You would dpkg-divert /usr/bin/telnet to /usr/bin/plain-old-insecure-telnet, so people couldn't use it without either going through the wrapper or typing the fact that telnet is not secure. You wouldn't need the wrapper to be setuid or gid, because what I propose is enough to prevent people from blithely using telnet without having any idea that it's bad. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
