On Thu May 04 2000 at 09:20, Tony Nugent wrote:
> On Wed May 03 2000 at 13:53, "David Knaack" wrote:
>
> > I would like to set up my RH6.1 box so that
> > users can telnet to some port and get a change
> > password prompt, without having to log in or
> > anything. I think I can do this by setting up
> > an entry in inetd.conf to give access to passwd,
> > then close when its done, but I'm not sure how
> > exactly that is done.
>
> I've never tried this myself, but others have told me that it
> works...
>
> Run /usr/bin/passwd directly via /etc/inetd.conf on an unprivileged
> port. If you set it up to run via /usr/sbin/tcpd then you can use
> tcp_wrappers to control access to it. (There are probably some
> details to be filled in here).
Ack! I don't know what I was thinking, that's not the way to do it.
(How on earth can /bin/passwd know what user account to modify if the
user hasn't actually identified him/herself? Besides, it won't work
anyway, it can't cope with the socket handling... I quickly tested
it:)
I also tried recompiling netcat [nc] to enable the -e option (the rpm
seems to have disabled this option, it allows you to exec another
program when a connection is made), then run it from, eg, /etc/inittab
(ie, init), something like this:
nc -l -p 999 -e /usr/bin/passwd
It won't work for passwd, but it does work like inetd for running
network daemons quick'n'dirty. (rshd is an example).
What you want to do is to make /usr//bin/passwd the login shell for
these users (in /etc/passwa). You might need to add an entry for
/usr/bin/passwd to /etc/shells, or you could find strange things
happening, like these users being unable to use their accounts with
ftp (ftp-only access might be the purpose of these accounts in the
first place). They can then telnet in to the box, log in as a user,
then all they can do from there is change their password. Telnet is
an inetd service, so you again you can tcp-wrap it.
If you *really* want to run this on another port other than the
standard telnet port (23), then you could set up /etc/inetd.conf and
/etc/sevices to get in.telnetd to run it that way. However, it will
become a true telnet daemon, tcp_wrappers won't be able to
differentiate between the two daemons (they will share the same access
conditions), and it again assumes that /bin/passwd is set as the
shell. No big advantage, so I wouldn't recommend doing it like this.
If this won't do for you, then a web-bases cgi/php utility is then
probably the best way to go.
Cheers
Tony
