Re: Authentication for telnet.
On Mon, 09 Dec 2019 08:21:27 -0800 pe...@easthope.ca wrote: > > telnetd is INSECURE and SHOULD NOT BE USED unless you have ... > > EXPLICITLY STATED reason. > > Where is that policy published? Where should the description of use > be submitted for approval? I have no idea whose policy you refer to, so I don't know if it's policy or not. One of the main reasons telnet is deprecated is because it sends passwords in the clear, so a malevolent snooper can harvest passwords. > > A session is routinely opened with xterm, gnome-terminal, lxterm and > etc. without authentication. Why is authentication so necessary for > "telnet localhost"? telnet localhost was not the typical use case. I suspect a malevolent user on the same computer might be able to sniff passwords and other traffic from memory. Since you are probably the sole user on your computer, that is an unlikely scenario. Remember that Unix security evolved in a day when Unix boxen were multi-user, and one (especially administrators) could not assume benevolence on the part of all users. Be aware of risks, and assess your own situation accordingly. If you still prefer to use telnet, go for it. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Bullying; was: Re: Authentication for telnet.
From: Greg Wooledge Date: Wed, 2 Oct 2019 09:11:55 -0400 > They gave you the rope and the instructions. It's up to you to actually > tie the noose around your own neck. > > Just delete the stupidly obvious this-line-is-commented-out-on-purpose > token, and then reload inetd. If you don't know how to do those things, > or if you can't figure this out just by glancing at the configuration > file, then you have zero business f.. with telnetd. Violation of https://www.debian.org/code_of_conduct part 1 and of https://www.debian.org/MailingLists/#codeofconduct . > They didn't even bother putting a comment in the script, ... ## telnet ... is a comment. Although ## is styled as formal syntax. Why not just prefix the telnet line with "#" and add a comment such as # telnet is commented out in case you installed it but don't really want # to use it. If you really, really ... really want to use it, remove the "#". > telnetd is INSECURE and SHOULD NOT BE USED unless you have ... > EXPLICITLY STATED reason. Where is that policy published? Where should the description of use be submitted for approval? A session is routinely opened with xterm, gnome-terminal, lxterm and etc. without authentication. Why is authentication so necessary for "telnet localhost"? At least a little cognizance of https://www.debian.org/code_of_conduct , part 2, might be exercised. As far as my question is concerned, telnetd is in Debian but the client is not specific to Debian. According to https://wiki.debian.org/DebianMailingLists , "Debian lists are for discussion of Debian issues. Discussion of other distributions, or other operating systems, unless related to a Debian issue, are inappropriate." Therefore discussion of the telnet client involved in my query is questionable. The trouble with mentioning the client is that too many will forget the question and dash to a flame war. > I'm adding you to the same file that the illustrious Mr. Owlett is in, ... Finally! Good! =8~) Here are a couple of links which might help. https://en.wikipedia.org/wiki/Bullying https://www.stopbullying.gov/ A family doctor can refer to professional counselling. Meanwhile, from https://www.debian.org/intro/organization . "Mailing Lists Administration and Mailing List Archives ... member Alexander Wirt member Cord Beermann member David Moreno Garza member Don Armstrong member Joey Schulze member Martin Zobel-Helas member Pascal Hakim" With any luck, at least one of these noticed the message cited at the top and took appropriate action. Regards, ... Peter E. -- https://en.wikibooks.org/wiki/Medical_Machines Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Authentication for telnet.
On Fri, Oct 11, 2019 at 01:59:07PM +0100, Tixy wrote: > On Fri, 2019-10-11 at 04:00 -0700, pe...@easthope.ca wrote: > [...] > > Ideally the syntax > > required for correct threading would be posted in the debian site. > > What's it got to do with Debian? Correct email threading is a property > of the email clients the senders and receivers of emails use. You'd > hope writers of those email clients would have read RFC2822 (or RFC822 > if they're from last century) and implemented support for Message-ID, > References, and In-Reply-To fields. See also the relevant Wikipedia page [1] for a more digestible description, with lots of references. If you stick to that, the Debian mailing list software will do the right thing (otherwise it'd have generated a bug report long ago). Cheers [1] https://en.wikipedia.org/wiki/Electronic_mail#Message_format -- tomás signature.asc Description: Digital signature
Re: Authentication for telnet.
On Fri, 2019-10-11 at 04:00 -0700, pe...@easthope.ca wrote: [...] > Ideally the syntax > required for correct threading would be posted in the debian site. What's it got to do with Debian? Correct email threading is a property of the email clients the senders and receivers of emails use. You'd hope writers of those email clients would have read RFC2822 (or RFC822 if they're from last century) and implemented support for Message-ID, References, and In-Reply-To fields. -- Tixy
Re: Authentication for telnet.
From: David Wright Date: Fri, 11 Oct 2019 00:12:45 -0500 > Maybe sometime you'd explain why you prefer telnet to ssh. Several years ago ssh was about 15-20 s connecting whereas telnet required less than a second. Consequently I adopted the habit of using telnet with a password. Recently I wondered about skipping the password and posted the original question about authentication. After the suggestion to use SSH I tried it found it not working. A2 was being overhauled; I won't pursue SSH until that settles. Superimposed on the authentication story was the broken threading causing annoyance to me and too many others. Ideally the syntax required for correct threading would be posted in the debian site. Otherwise one should aim to study the source for MHonArc? In dillo, a click on the MHonArc link at the foot of a list page gives "Unable to get a local issuer certificate. The issuer certificate of an untrusted certificate cannot be found." > Perhaps you could also restate where you had got to in this thread. > I assumed that by 4th October you had solved your difficulty with > options like -L and -a when trying to use your telnet client, and > that you had managed to authenticate yourself: "Solved now." The telnet viewer pops open in a few ms with no password request. > But I also thought you said that you didn't want to have to type a > password: ... Correct. > Does "Solved now" mean that you had done so already when > using telnet? Yes. It was solved by following the pointer from Reco. telnet -a none ... > The guts of my post was avoiding the password dialogue by adding > the user's own public key to the list of authorised keys. Perhaps > I shouldn't have bothered to pose the first question. Too distracting. I'm watching for a new release of A2 from ETHZ. When that is working, will look at SSH again. If it's fast enough for routine use, will try the public key. > I would counter with a different analogy. Houses in Britain used to have > 3-lever locks, adequate at the time. Modern 5-lever ones were expensive > and only available in more limited styles. Nowadays, better security is > required, so attractive 5-lever locks are more available, relatively > cheaper (as the market is larger), and demanded by most insurance > companies or else you're not covered. I had to read the Wikipedia article about lever locks. Interesting. Here pin tumbler deadbolts are common in older houses. Upscale new construction might favour a newer technology; I know little about architecture. Why do lever locks remain popular? Pin tumbers should be cheaper and more difficult to pick. > I would have thought you were also more likely > to meet ssh than telnet in other situations nowadays. Almost all my connections to the outside are via HTTPS. Hypothetically, websitewelcome.com could offer scp but I've never seen it mentioned. > > netcat (which I use very frequently) might be subject to the same > > criticisms. If I were to use it outside my LAN, I'd be inclined to > > use cryptcat. > > > > Kneejerk reactions against telnetd are not unknown. telnetd is not > > insecure; its use might be. But I think you are aware of that. > I don't understand the point you're trying to make. That was from Brian. > By telnetd, do > you just mean strictly the security of daemon program, or the > end-to-end communication via the telnet protocol? I would refer to the daemon as telnetd and client as telnet. I guess the protocol should always be capitalized, Telnet, but one of Yogi Bera's favoured quips will apply: in theory, theory and practice are the same; in practice they differ. > BTW I am assuming that by the term telnet people have meant vanilla > telnet and not something like telnet-ssl. Sensible but isn't telnet-ssl almost extinct? Regards, ... P. -- https://en.wikibooks.org/wiki/Medical_Machines Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Authentication for telnet.
On Thu 10 Oct 2019 at 06:48:16 (-0700), pe...@easthope.ca wrote: > Incidently the hyperlinks in my reply to Charles Curley > ( https://lists.debian.org/debian-user/2019/10/msg00479.html ) seem OK. > The list server is is flummoxed when there are more than 2 or 3 or 4 > References? Then I should insert only two references. By hasty count, > 6 mouse clicks. https://lists.debian.org/debian-user/2019/10/msg00337.html appears to have 10 references. I don't know whether there's a limit. But your threading has improved after a poor patch earlier this month when the magnifying glasses were being pasted inside the links' < > again. Cheers, David.
Re: Authentication for telnet.
On Thu 10 Oct 2019 at 19:34:26 (+0100), Brian wrote: > On Thu 10 Oct 2019 at 06:48:16 -0700, pe...@easthope.ca wrote: > > From: David Wright, Thu, 10 Oct 2019 00:18:34 -0500 > > > telnetd is ancient ... I wrote "sshd is modern and secure. telnetd is ancient and insecure …" with the two sentences in apposition in order to contrast the choices you said you have available: "Protocols Telnet and SSH are available;…" Maybe sometime you'd explain why you prefer telnet to ssh. Perhaps you could also restate where you had got to in this thread. I assumed that by 4th October you had solved your difficulty with options like -L and -a when trying to use your telnet client, and that you had managed to authenticate yourself: "Solved now." But I also thought you said that you didn't want to have to type a password: "… once a user is logged in to the system, a shell session is opened without a password", so I indicated how you might solve that. Does "Solved now" mean that you had done so already when using telnet? Perhaps I missed it with the threading the way it was. > > Recency of development is a criterion for choosing a tool. (?) > > I think that depends on the tool. If telnetd works for you and you are > cognisant of its drawbacks, why not use it? > > > The ball-peen hammer as we know it would have been developed before 1900. > > Might have been prior to 1800. The pneumatic hammer was developed in the > > 1920s and '30s. ( https://en.wikipedia.org/wiki/Air_hammer_(fabrication) ) > > Therefore we should always choose the pneumatic rather than the ball-peen. > > I'm unsure whether the analogy works. One can always choose to pick > holes in an analogy and neglect the essential argument. The converstion > then revolves round a different topic rather than getting to the guts of > any issue. The guts of my post was avoiding the password dialogue by adding the user's own public key to the list of authorised keys. Perhaps I shouldn't have bothered to pose the first question. Too distracting. > > Recency is minded but shouldn't dictate. > > Fair enough. I would counter with a different analogy. Houses in Britain used to have 3-lever locks, adequate at the time. Modern 5-lever ones were expensive and only available in more limited styles. Nowadays, better security is required, so attractive 5-lever locks are more available, relatively cheaper (as the market is larger), and demanded by most insurance companies or else you're not covered. > > > sshd is ... secure. > > > > This scenario is in one machine which is running shorewall. The LAN > > has another firewall. What are the risks to the telnet protocol in > > this case? I don't know what your configuration or risks are, but why not go for security in depth? I would have thought you were also more likely to meet ssh than telnet in other situations nowadays. > netcat (which I use very frequently) might be subject to the same > criticisms. If I were to use it outside my LAN, I'd be inclined to > use cryptcat. > > Kneejerk reactions against telnetd are not unknown. telnetd is not > insecure; its use might be. But I think you are aware of that. I don't understand the point you're trying to make. By telnetd, do you just mean strictly the security of daemon program, or the end-to-end communication via the telnet protocol? (BTW I am assuming that by the term telnet people have meant vanilla telnet and not something like telnet-ssl.) Cheers, David.
Re: Authentication for telnet.
On Thu 10 Oct 2019 at 06:48:16 -0700, pe...@easthope.ca wrote: > From: David Wright, Thu, 10 Oct 2019 00:18:34 -0500 > > telnetd is ancient ... > > Recency of development is a criterion for choosing a tool. (?) I think that depends on the tool. If telnetd works for you and you are cognisant of its drawbacks, why not use it? > The ball-peen hammer as we know it would have been developed before 1900. > Might have been prior to 1800. The pneumatic hammer was developed in the > 1920s and '30s. ( https://en.wikipedia.org/wiki/Air_hammer_(fabrication) ) > Therefore we should always choose the pneumatic rather than the ball-peen. I'm unsure whether the analogy works. One can always choose to pick holes in an analogy and neglect the essential argument. The converstion then revolves round a different topic rather than getting to the guts of any issue. > Recency is minded but shouldn't dictate. Fair enough. > > sshd is ... secure. > > This scenario is in one machine which is running shorewall. The LAN > has another firewall. What are the risks to the telnet protocol in > this case? netcat (which I use very frequently) might be subject to the same criticisms. If I were to use it outside my LAN, I'd be inclined to use cryptcat. Kneejerk reactions against telnetd are not unknown. telnetd is not insecure; its use might be. But I think you are aware of that. -- Brian.
Re: Authentication for telnet.
From: David Wright, Thu, 10 Oct 2019 00:18:34 -0500 > telnetd is ancient ... Recency of development is a criterion for choosing a tool. (?) The ball-peen hammer as we know it would have been developed before 1900. Might have been prior to 1800. The pneumatic hammer was developed in the 1920s and '30s. ( https://en.wikipedia.org/wiki/Air_hammer_(fabrication) ) Therefore we should always choose the pneumatic rather than the ball-peen. Recency is minded but shouldn't dictate. > sshd is ... secure. This scenario is in one machine which is running shorewall. The LAN has another firewall. What are the risks to the telnet protocol in this case? > Why would you be typing a password after typing ssh localhost? > Just type: > > $ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys Valid point. Incidently the hyperlinks in my reply to Charles Curley ( https://lists.debian.org/debian-user/2019/10/msg00479.html ) seem OK. The list server is is flummoxed when there are more than 2 or 3 or 4 References? Then I should insert only two references. By hasty count, 6 mouse clicks. Regards,... Peter E. -- https://en.wikibooks.org/wiki/Medical_Machines Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Authentication for telnet.
On Wed 09 Oct 2019 at 07:25:39 (-0700), pe...@easthope.ca wrote: > From: Andy Smith > Date: Sun, 29 Sep 2019 23:03:14 + > > It is confusing why you would need to do this to localhost as you > > could just type "bash" (or dash or zsh or whatever) to get a new > > shell. So it would help our understanding if you were to explain > > what your use case is for this new interactive shell session. > > Oberon has a client for protocol Telnet and a client for SSH. bash, > dash, sudo, rlogin and many other tools don't exist in Oberon. I > avoided discussing this deliberately. For most readers it's an > annoying digression; for some will cause mental upset. > > In most Debian situations, once a user is logged in to the system, a > shell session is opened without a password. "telnet localhost" is > analogous to that. "ssh localhost" is rarely used. Why? sshd is modern and secure. telnetd is ancient and insecure and ought not to be on the system at all. > If sitting in a > public place, be careful that someone isn't watching when you type the > password. Why would you be typing a password after typing ssh localhost? Just type: $ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys Cheers, David.
Re: Subject: Re: Authentication for telnet.
On Wed, 09 Oct 2019 20:13:57 -0700 pe...@easthope.ca wrote: > From: Charles Curley > Date: Wed, 9 Oct 2019 10:59:47 -0600 > > First, this is a Debian Linux support list, not an Oberon support > > list. > > Yes! Exactly the right place for a question about telnetd in a > Debian system. > > This illustrates why I tried to avoid mention of Oberon at the > outset. It's a distraction, not essential to the question. The > telnet client might also be in MS Windows running in QEMU in the > debian system or in FreeDOS in QEMU in the debian system. They might > provide analogous contexts. But the question was about the telnetd > server in debian; not about the telnet client. > > > If you are running a GUI, most desktop environments will allow you > > to have multiple terminal emulators open. Many of those will allow > > you multiple tabs, each with a session open. > > > > If you are not running a GUI, CTL-ALT-(F1-F6) will allow you up to > > six simultaneous logins. > > > > There are ways to get more, such as screen. > > Please read the message you have replied to again. Protocols Telnet > and SSH are available; nothing else you mention. Now you have me further confused. If this is about telnetd on a Debian system, then absent serious surgery to the point of crippling the host, those things are available. Or am I in error in believing that you want to telnet to the same account on the same Debian machine? -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Subject: Re: Authentication for telnet.
From: Charles Curley Date: Wed, 9 Oct 2019 10:59:47 -0600 > First, this is a Debian Linux support list, not an Oberon support > list. Yes! Exactly the right place for a question about telnetd in a Debian system. This illustrates why I tried to avoid mention of Oberon at the outset. It's a distraction, not essential to the question. The telnet client might also be in MS Windows running in QEMU in the debian system or in FreeDOS in QEMU in the debian system. They might provide analogous contexts. But the question was about the telnetd server in debian; not about the telnet client. > If you are running a GUI, most desktop environments will allow you to > have multiple terminal emulators open. Many of those will allow you > multiple tabs, each with a session open. > > If you are not running a GUI, CTL-ALT-(F1-F6) will allow you up to six > simultaneous logins. > > There are ways to get more, such as screen. Please read the message you have replied to again. Protocols Telnet and SSH are available; nothing else you mention. Regards, ... P. -- https://en.wikibooks.org/wiki/Medical_Machines https://en.wikibooks.org/wiki/Oberon Tel: +1 604 670 0140Bcc: peter at easthope. ca
Threading; was: Re: Authentication for telnet.
DISCLAIMER & WARNING: Threading may still be incorrect. Tempting as this message might be, if incorrect threading upsets you please stop reading. =8~) To my understanding In-Reply-To and References were added to the earlier message correctly but the list server put them in the Web based message body as plain text rather than hyperlinks. The Message-id value in the message body is a hyperlink. Does the list server need the hyperlinks in the message body to propagate links in the next message? At present I don't have any other explanation. Documentation wouldn't be a bad idea. =8~) From: Andy Smith Date: Mon, 30 Sep 2019 15:46:44 + > You break threads ... Threading might have been solved back in July as David W. mentioned. If it was I've forgotten a detail. Hypothetically the mailing list software might filter out some threading syntax errors. Better to enforce syntax in a clear way than to have random errors and complaints. Regards,... Peter E. -- https://en.wikibooks.org/wiki/Medical_Machines https://en.wikibooks.org/wiki/Oberon Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Authentication for telnet.
On Wed, 09 Oct 2019 07:25:39 -0700 pe...@easthope.ca wrote: > From: Andy Smith > Date: Sun, 29 Sep 2019 23:03:14 + > > So I think we really do still need to know more about your use > > case. > > https://en.wikipedia.org/wiki/Oberon_(operating_system) > https://en.wikibooks.org/wiki/Oberon > > I tried to make the orginal question as specific as possible. You may have tried but you have failed. First, this is a Debian Linux support list, not an Oberon support list. So I fail to see the relevance of Oberon to the issue. Second, several people have asked just what you are trying to do, and all you have done is obfuscate the matter. If you want to have multiple shell sessions on the same account on the same computer, telnet is at best an unnecessary complication and at worst a security nightmare. If you are running a GUI, most desktop environments will allow you to have multiple terminal emulators open. Many of those will allow you multiple tabs, each with a session open. If you are not running a GUI, CTL-ALT-(F1-F6) will allow you up to six simultaneous logins. There are ways to get more, such as screen. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Re: Authentication for telnet.
From: Andy Smith Date: Sun, 29 Sep 2019 23:03:14 + > It is confusing why you would need to do this to localhost as you > could just type "bash" (or dash or zsh or whatever) to get a new > shell. So it would help our understanding if you were to explain > what your use case is for this new interactive shell session. Oberon has a client for protocol Telnet and a client for SSH. bash, dash, sudo, rlogin and many other tools don't exist in Oberon. I avoided discussing this deliberately. For most readers it's an annoying digression; for some will cause mental upset. In most Debian situations, once a user is logged in to the system, a shell session is opened without a password. "telnet localhost" is analogous to that. "ssh localhost" is rarely used. If sitting in a public place, be careful that someone isn't watching when you type the password. > So I think we really do still need to know more about your use case. https://en.wikipedia.org/wiki/Oberon_(operating_system) https://en.wikibooks.org/wiki/Oberon I tried to make the orginal question as specific as possible. Regards, ... Peter E. -- https://en.wikibooks.org/wiki/Medical_Machines https://en.wikibooks.org/wiki/Oberon Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Authentication for telnet.
DISCLAIMER & WARNING: Threading may still be incorrect. Tempting as this message might be, if incorrect threading upsets you please stop reading. =8~) From: David <mailto:bouncingc...@gmail.com>, Sat, 28 Sep 2019 08:15:07 -0700 > > LXTerminal for example, doesn't require authentication. Can telnet > > work similarly? > ... no-one has a clue what the actual question ... When quoting my question you must have read it. > lxterminal runs a GUI application on your host. It > uses libc so that your CPU can communicate directly with > your keyboard and screen in the most efficient way possible > in GUI land. OK, thanks. lxterminal has been in routine use here for more than five years. As we are on the subject: does anyone give a password to begin every lxterminal session? > So telnet ... is a tool for using a *network* protocol to > communicate with a *remote* host. > telnet manpage says > ... communication with another host ... localhost is a special case. "telnet localhost" is legitimate. > So that's not efficient at all. Every keystroke goes via the > network stack, requiring individual client and server > processes, see https://en.wikipedia.org/wiki/Telnet In practice, it performs fairly well. > So the first puzzle is why you seem to be in some way > comparing two vastly different things, lxterminal and > telnet. Different but both give a "shell session" or "console" or whatever the correct name. > The second puzzle is why you have a legitimate reason > to 'telnet localhost' because none of us can think of > a good reason. OK, another topic to add here. https://en.wikibooks.org/wiki/Oberon/A2 It's a wiki. If interested, please work on it. > Is this question about software provided by the Debian > project? Because that is the unspoken assumption here, > and if that is not the case then then our answers might > be completely irrelevant. I might have mentioned that I use some software not in a Debian package but many others do also. Didn't strike me as an essential point. Not even interesting to most readers. "Authentication for telnet" is a fairly specific topic. Oh well. Solved now. Regards, ... P. -- https://en.wikibooks.org/wiki/Medical_Machines https://en.wikibooks.org/wiki/Oberon Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Breaking the mail thread. Was: Re: Authentication for telnet.
On Thu, 3 Oct 2019 at 14:20, David wrote: [...] Sorry, I didn't see this had already been discussed. (broken threading, gmail interface, didn't read everything before sending anything)
Re: Breaking the mail thread. Was: Re: Authentication for telnet.
On Thu, 3 Oct 2019 at 05:38, Thomas Schmitt wrote: > Reco wrote: > > Threading is broken, as usual. > > This is probably due to extra characters in the "References:" header: > > > > From: pe...@easthope.ca > > > X-Mailer: Oberon Mail (ejz) on LinuxA2 Gen. 32-bit, rev.8586 > > > To: debian-user@lists.debian.org > > > Cc: pe...@easthope.ca > > > References: <[?0;] E1iEER9-0002iD-Bu@joule.invalid> <[?0;] [?0;] > > > e1iefva-dk...@enotuniq.net> <[?0;] E1iEgrJ-0007Ad-G2@joule.invalid> > > > <[?0;] E1iElQb-p6-0Y@joule.invalid> <[?0;] > > > E1iF9u7-jl-Ga@joule.invalid> <[?0;] e1ifbxb-0004sl...@enotuniq.net> > > > <[?0;] E1iFMAG-OF-L6@joule.invalid> <[?0;] > > > e1ifnna-0005qx...@enotuniq.net> > > Those "[?0;] " should not be inside the <>-brackets. I wonder if that is related to terminal ANSI colour escape codes, which do include characters of square brackets, digits and semicolon chars. I wonder if Peter is cutting and pasting that information from a coloured terminal window, and the ANSI colour code is not correctly discarded and so is corrupting his paste. I got the impression this might be part of his writing process from this message: https://lists.debian.org/debian-user/2019/07/msg01376.html I wonder if those characters are visible to Peter before and/or after the paste? Have a wonder-full day :)
Breaking the mail thread. Was: Re: Authentication for telnet.
Hi, pe...@easthope.ca wrote: > > Hopefully this is readable. Reco wrote: > Threading is broken, as usual. This is probably due to extra characters in the "References:" header: > > From: pe...@easthope.ca > > X-Mailer: Oberon Mail (ejz) on LinuxA2 Gen. 32-bit, rev.8586 > > To: debian-user@lists.debian.org > > Cc: pe...@easthope.ca > > References: <[?0;] E1iEER9-0002iD-Bu@joule.invalid> <[?0;] [?0;] > > e1iefva-dk...@enotuniq.net> <[?0;] E1iEgrJ-0007Ad-G2@joule.invalid> > > <[?0;] E1iElQb-p6-0Y@joule.invalid> <[?0;] > > E1iF9u7-jl-Ga@joule.invalid> <[?0;] e1ifbxb-0004sl...@enotuniq.net> > > <[?0;] E1iFMAG-OF-L6@joule.invalid> <[?0;] > > e1ifnna-0005qx...@enotuniq.net> Those "[?0;] " should not be inside the <>-brackets. @enotuniq.net are Message-Ids from Reco. Like Message-ID: @joule.invalid are from pe...@easthope.ca Message-Id: (So Oberon Mail iat least tries hard to build up a thread graph ...) Have a nice day :) Thomas
Re: Authentication for telnet.
Hi. On Wed, Oct 02, 2019 at 11:52:51AM -0700, pe...@easthope.ca wrote: > Hopefully this is readable. It is. Threading is broken, as usual. > > Hence aforementioned "echo" command above. > > Ie. > > 2) echo 'telnet stream tcp nowait root/usr/sbin/tcpd > > /usr/sbin/telnetd -a none -E /bin/bash' >> /etc/inetd.conf > > To my understanding that would wipe out all the other services. > I read your instruction as illustrative rather than literal. No, ">>" is interpreted as "append" by any POSIX-compliant shell. Your contents of inetd.conf are safe ;) > With any luck, maintainers will remove the legacy telnetd > from distribution; sooner or later. As long as they keep busybox intact - there's little harm in removing telnetd. Reco
Re: Authentication for telnet.
On Wed, Oct 02, 2019 at 11:52:51AM -0700, pe...@easthope.ca wrote: > Hopefully this is readable. > > From: Reco , Wed, 2 Oct 2019 09:45:12 +0300 > > No, it should not be there because it disables telnetd this way. > > Thanks. > > > Hence aforementioned "echo" command above. > > Ie. > > 2) echo 'telnet stream tcp nowait root/usr/sbin/tcpd > > /usr/sbin/telnetd -a none -E /bin/bash' >> /etc/inetd.conf > > To my understanding that would wipe out all the other services. > I read your instruction as illustrative rather than literal. No, that ">>" would append to the file. Cheers -- t signature.asc Description: Digital signature
Re: Authentication for telnet.
Hopefully this is readable. From: Reco , Wed, 2 Oct 2019 09:45:12 +0300 > No, it should not be there because it disables telnetd this way. Thanks. > Hence aforementioned "echo" command above. Ie. > 2) echo 'telnet stream tcp nowait root/usr/sbin/tcpd > /usr/sbin/telnetd -a none -E /bin/bash' >> /etc/inetd.conf To my understanding that would wipe out all the other services. I read your instruction as illustrative rather than literal. With any luck, maintainers will remove the legacy telnetd from distribution; sooner or later. Thanks for the help, ... P. -- https://en.wikibooks.org/wiki/Medical_Machines https://en.wikibooks.org/wiki/Oberon Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Authentication for telnet.
On 2019-10-02, Greg Wooledge wrote: > On Wed, Oct 02, 2019 at 04:55:29PM -, Curt wrote: >> On 2019-10-02, Greg Wooledge wrote: >> > On Wed, Oct 02, 2019 at 09:45:12AM +0300, Reco wrote: >> > >> > So, I'm done with you. I'm adding you to the same file that the >> > illustrious Mr. Owlett is in, so I never have to read your mangled, >> > nonsensical crap again. >> > >> >> Aren't you delivering the right message to the wrong person (Mr. Reco?). > > I thought it was clear enough from context that I was responding to > peter's text, even though he was not the outermost layer of citation, > that I didn't bother to specify the person. > Sorry. I thought responding to Reco's post in order to deliver a message intended for Peter was unintentional. -- "There are no foreign lands. It is the traveler only who is foreign." -- Robert Louis Stevenson
Re: Authentication for telnet.
On Tuesday, October 01, 2019 01:40:51 PM Thomas Schmitt wrote: > David wrote: > > > Oh dear, I'm sorry again, this time for mixing you up with Thomas! > > to...@tuxteam.de wrote: > > I can't know how Thomas feels about it. > > I regularly run whoami to avoid any local confusion. Thanks, I needed that! (I should start doing that ;-)
Re: Authentication for telnet.
On Wed, Oct 02, 2019 at 04:55:29PM -, Curt wrote: > On 2019-10-02, Greg Wooledge wrote: > > On Wed, Oct 02, 2019 at 09:45:12AM +0300, Reco wrote: > > > > So, I'm done with you. I'm adding you to the same file that the > > illustrious Mr. Owlett is in, so I never have to read your mangled, > > nonsensical crap again. > > > > Aren't you delivering the right message to the wrong person (Mr. Reco?). I thought it was clear enough from context that I was responding to peter's text, even though he was not the outermost layer of citation, that I didn't bother to specify the person.
Re: Authentication for telnet.
On Tuesday, October 01, 2019 11:08:09 AM Brad Rogers wrote: > On Wed, 2 Oct 2019 00:54:19 +1000 > David wrote: > > Hello David, > > >I've written a few shitty messages to this list too, when people don't > >meet my expectations of behaviour. But usually when I'm finished, > >I press "delete" instead of "send", and then find something fun to > > Been there, done that. Quite cathartic. It's a good thing to do. Too often, I write a message like that with the intent to delete it, but then send it anyway to avoid wasting the effort ;-)
Re: Authentication for telnet.
On 2019-10-02, Greg Wooledge wrote: > On Wed, Oct 02, 2019 at 09:45:12AM +0300, Reco wrote: > > So, I'm done with you. I'm adding you to the same file that the > illustrious Mr. Owlett is in, so I never have to read your mangled, > nonsensical crap again. > Aren't you delivering the right message to the wrong person (Mr. Reco?). -- "There are no foreign lands. It is the traveler only who is foreign." -- Robert Louis Stevenson
Re: Authentication for telnet.
On Wed, Oct 02, 2019 at 09:45:12AM +0300, Reco wrote: > On Tue, Oct 01, 2019 at 09:12:42PM -0700, pe...@easthope.ca wrote: > > peter@joule:~$ grep telnet /etc/inetd.conf > > ## telnet stream tcp nowait root/usr/sbin/tcpd > > /usr/sbin/telnetd -a none -E /bin/bash > > > > Not sure ## should be there. Have yet to find an explanation for it. > > No, it should not be there because it disables telnetd this way. Hence > aforementioned "echo" command above. And Debian disables telnetd this way because no sensible Linux distribution would enable telnetd by default. They gave you the rope and the instructions. It's up to you to actually tie the noose around your own neck. Just delete the stupidly obvious this-line-is-commented-out-on-purpose token, and then reload inetd. If you don't know how to do those things, or if you can't figure this out just by glancing at the configuration file, then you have zero business fucking with telnetd. Here, here's the source code showing the script that does this. https://sources.debian.org/src/inetutils/2:1.9.4-7/debian/inetutils-telnetd.postinst/ They didn't even bother putting a comment in the script, because it's so bleedingly obvious to every single person reading this script why they would insert the configuration line in a disabled state. telnetd is INSECURE and SHOULD NOT BE USED unless you have an incredibly good, specific, well-thought-out, EXPLICITLY STATED reason. You have not stated ANY reasons for your requests. NONE. Despite MANY people asking you to do so. Despite REPEATED warnings. So, I'm done with you. I'm adding you to the same file that the illustrious Mr. Owlett is in, so I never have to read your mangled, nonsensical crap again.
Re: Authentication for telnet.
On Tue, Oct 01, 2019 at 09:12:42PM -0700, pe...@easthope.ca wrote: > From: Reco , Tue, 1 Oct 2019 09:48:09 +0300 > > 2) echo 'telnet stream tcp nowait root/usr/sbin/tcpd > > /usr/sbin/telnetd -a none -E /bin/bash' >> /etc/inetd.conf > > peter@joule:~$ grep telnet /etc/inetd.conf > ## telnetstream tcp nowait root/usr/sbin/tcpd > /usr/sbin/telnetd -a none -E /bin/bash > > Not sure ## should be there. Have yet to find an explanation for it. No, it should not be there because it disables telnetd this way. Hence aforementioned "echo" command above. Reco
Re: Authentication for telnet.
From: Reco Tue, 1 Oct 2019 22:26:35 +0300 > apt install inetutils-telnetd openbsd-inetd root@joule:~# dpkg -l | grep inet ii inetutils-telnetd2:1.9.4-7 i386 telnet server ii openbsd-inetd0.20160825-4 i386 OpenBSD Internet Superserver ii update-inetd 4.49 all inetd configuration file updater From: Reco , Tue, 1 Oct 2019 09:48:09 +0300 > 2) echo 'telnet stream tcp nowait root/usr/sbin/tcpd > /usr/sbin/telnetd -a none -E /bin/bash' > /etc/inetd.conf peter@joule:~$ grep telnet /etc/inetd.conf ## telnet stream tcp nowait root/usr/sbin/tcpd /usr/sbin/telnetd -a none -E /bin/bash Not sure ## should be there. Have yet to find an explanation for it. > 3) service openbsd-inetd restart Executes with no report to the terminal. > 4) telnet localhost peter@joule:~$ telnet localhost Trying ::1... Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused Whereas the legacy telnetd accepted the connection. That's why I used the legacy telnetd. Tomorrow I might look for debug info for inetutils-telnetd. Thanks,... Peter E. -- https://en.wikibooks.org/wiki/Medical_Machines https://en.wikibooks.org/wiki/Oberon Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Authentication for telnet.
On Tue, Oct 01, 2019 at 07:40:51PM +0200, Thomas Schmitt wrote: > Hi, > > David wrote: > > > Oh dear, I'm sorry again, this time for mixing you up with Thomas! > > to...@tuxteam.de wrote: > > I can't know how Thomas feels about it. > > I regularly run whoami to avoid any local confusion. Thanks for the hint. I'll do from now on :) Cheers -- t signature.asc Description: Digital signature
Re: Authentication for telnet.
Hi. On Tue, Oct 01, 2019 at 10:42:20AM -0700, pe...@easthope.ca wrote: > > Try it: > > > > 1) apt install inetutils-inetd openbsd-inetd > > Debian 10 allows me to install one or the other but not both. > I removed inetutils-inetd and installed openbsd-inetd. There's this saying here involving a good engineer and their lack of squeamishness *and* the need of attentiveness. Apparently I lack the latter today. apt install inetutils-telnetd openbsd-inetd Reco
Re: Authentication for telnet.
From: Reco , Tue, 1 Oct 2019 09:48:09 +0300 > I fail to see how that's "OK". "OK" was only my acknowledgement of your instruction or suggestion. Not a confirmation of success. > Try it: > > 1) apt install inetutils-inetd openbsd-inetd Debian 10 allows me to install one or the other but not both. I removed inetutils-inetd and installed openbsd-inetd. > 2) echo 'telnet stream tcp nowait root/usr/sbin/tcpd > /usr/sbin/telnetd -a none -E /bin/bash' > /etc/inetd.conf peter@joule:~$ dpkg -l | grep telnet /etc/inetd.conf telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd -a none -E /bin/bash > 3) service openbsd-inetd restart Executes with no report to the terminal. > 4) telnet localhost peter@joule:~$ telnet localhost Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. telnetd: a: unknown option Usage: telnetd [-debug port] [-D (options|report|exercise|netdata|ptydata)] [-h] [-L login_program] [-n] Connection closed by foreign host. Appears the -a option is not available. Regards,... Peter E. -- https://en.wikibooks.org/wiki/Medical_Machines Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Authentication for telnet.
Hi, David wrote: > > Oh dear, I'm sorry again, this time for mixing you up with Thomas! to...@tuxteam.de wrote: > I can't know how Thomas feels about it. I regularly run whoami to avoid any local confusion. Have a nice day :) Thomas
Re: Authentication for telnet.
On Wed, Oct 02, 2019 at 01:57:34AM +1000, David wrote: > On Wed, 2 Oct 2019 at 01:49, wrote: > > On Wed, Oct 02, 2019 at 01:29:01AM +1000, David wrote: > > > > You are Mr "have a nice day" after all :) > > > No, that is Thomas (our names are pretty similar, but he is > > far less grumpy than me and besides he has quite a bit of > > free software out there to show :) > > Oh dear, I'm sorry again, this time for mixing you up with Thomas! I can't know how Thomas feels about it. Myself, I feel honoured :-) No worries, really. Cheers -- t signature.asc Description: Digital signature
Re: Authentication for telnet.
On Wed, 2 Oct 2019 at 01:49, wrote: > On Wed, Oct 02, 2019 at 01:29:01AM +1000, David wrote: > > You are Mr "have a nice day" after all :) > No, that is Thomas (our names are pretty similar, but he is > far less grumpy than me and besides he has quite a bit of > free software out there to show :) Oh dear, I'm sorry again, this time for mixing you up with Thomas! I'm embarassed about that. I can be a bit hopeless with details sometimes, my recall memory is unreliable. But to the best of my recall you are both extremely polite people ;p
Re: Authentication for telnet.
On Wed, Oct 02, 2019 at 01:29:01AM +1000, David wrote: > On Wed, 2 Oct 2019 at 01:16, wrote: > > On Wed, Oct 02, 2019 at 12:54:19AM +1000, David wrote: > > > > I've written a few shitty messages to this list too [...] > > I'm sorry, the word "too" should not appear in my sentence > above, I did not notice that it carries implications that I did > not intend, please ignore it. > > I certainly do not wish to describe any messages written by > anyone as "shitty". That meaning was unintended. No problem, you'll find enough to back up your claim. Pick a couple of mine ;-D > > I hope mine wasn't too harsh, though. > > Not at all tomas. > > I was extrapolating and making a broad statement about what we > do here. I was certainly not calling anyone into line, I am not > qualified to do so. > > You are Mr "have a nice day" after all :) No, that is Thomas (our names are pretty similar, but he is far less grumpy than me and besides he has quite a bit of free software out there to show :) Cheers -- t signature.asc Description: Digital signature
Re: Authentication for telnet.
On Wed, 2 Oct 2019 00:54:19 +1000 David wrote: Hello David, >I've written a few shitty messages to this list too, when people don't >meet my expectations of behaviour. But usually when I'm finished, >I press "delete" instead of "send", and then find something fun to Been there, done that. Quite cathartic. -- Regards _ / ) "The blindingly obvious is / _)radnever immediately apparent" I'm surfing on a wave of nostalgia for an age yet to come Nostalgia - Buzzcocks pgp7wekhZrPUB.pgp Description: OpenPGP digital signature
Re: Authentication for telnet.
On Wed, 2 Oct 2019 at 01:16, wrote: > On Wed, Oct 02, 2019 at 12:54:19AM +1000, David wrote: > > I've written a few shitty messages to this list too [...] I'm sorry, the word "too" should not appear in my sentence above, I did not notice that it carries implications that I did not intend, please ignore it. I certainly do not wish to describe any messages written by anyone as "shitty". That meaning was unintended. > I hope mine wasn't too harsh, though. Not at all tomas. I was extrapolating and making a broad statement about what we do here. I was certainly not calling anyone into line, I am not qualified to do so. You are Mr "have a nice day" after all :)
Re: Authentication for telnet.
On Wed, Oct 02, 2019 at 12:54:19AM +1000, David wrote: > On Tue, 1 Oct 2019 at 22:57, wrote: > > On Tue, Oct 01, 2019 at 08:52:48AM -0400, Greg Wooledge wrote: > > > > Why in the hell [...] > > > Now try in a more polite and friendly way. [...] > > > Thanks for trying :) > > I agree that polite and friendly is the goal. > > I see that a polite way was tried already by several people. > > When people ask for help, but then avoid being helped, it's dubious > behaviour. In forum like this, such situations occur from time to > time. Yes, it's sometimes difficult, I know. And especially Greg is known for generally helpful and very knowledgeable posts here. > I've written a few shitty messages to this list too [...] Who hasn't? I'm sure I've my score of them, publically documented. I'm glad if someone stops me, in those cases. I hope mine wasn't too harsh, though. Cheers -- t signature.asc Description: Digital signature
Re: Authentication for telnet.
On Tue, 1 Oct 2019 at 22:57, wrote: > On Tue, Oct 01, 2019 at 08:52:48AM -0400, Greg Wooledge wrote: > > Why in the hell [...] > Now try in a more polite and friendly way. [...] > Thanks for trying :) I agree that polite and friendly is the goal. I see that a polite way was tried already by several people. When people ask for help, but then avoid being helped, it's dubious behaviour. In forum like this, such situations occur from time to time. Sometimes a means of self-protection is required, especially for people who expend effort help to others without reward. There will always be people who don't communicate well, or those who will take what suits them, perhaps repeatedly, but will never give back anything, except perhaps negativity. That's to be expected. But the worst effect of community-parasites (trolls, help vampires, etc) is when they trigger conflict amongst the active, contributing, valuable members of the communities that they feed off. Let's have sufficient awareness to avoid that here. I don't like to see bickering or denigration of anyone here, but especially regular contributors with expertise. The people who do give back. And especially when questions are not even about Debian-project software. I've written a few shitty messages to this list too, when people don't meet my expectations of behaviour. But usually when I'm finished, I press "delete" instead of "send", and then find something fun to do instead :) To everyone who contributes here ... thank you for your work!
Re: Authentication for telnet.
On Tue, Oct 01, 2019 at 08:52:48AM -0400, Greg Wooledge wrote: [...] > Why in the hell is anyone running telnetd in 2019? > > What is the PURPOSE of this idiocy? To recreate that 1992 feeling? For > nostalgia? Now try in a more polite and friendly way. Then you'd have a chance of achieving something useful (instead of unleashing yet another useless BOFH [1] pissing contest). Thanks for trying :) [1] https://en.wikipedia.org/wiki/BOFH -- t signature.asc Description: Digital signature
Re: Authentication for telnet.
On Tue, Oct 01, 2019 at 09:48:09AM +0300, Reco wrote: > On Mon, Sep 30, 2019 at 09:36:51PM -0700, pe...@easthope.ca wrote: > > peter@joule:~$ grep telnet /etc/inetd.conf > > telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd -a user > > # Restart inetd. Why in the hell is anyone running telnetd in 2019? What is the PURPOSE of this idiocy? To recreate that 1992 feeling? For nostalgia? Is the machine at least network-less? Because introducing a security hole of this magnitude on an Internetworked machine would be unforgiveable. > I fail to see how that's "OK". Ditto! > > Then the result from telnet to localhost is in this little screenshot. > > http://easthope.ca/TelnetScreenshot.jpg > > Please copy text to the mail next time. Ditto! Or maybe, because this machine isn't networked, he had to take a photograph. No doubt using actual film, and then developing it, and then scanning it in on a flatbed scanner. You know, because he lives in 1992.
Re: Authentication for telnet.
On Mon, Sep 30, 2019 at 09:36:51PM -0700, pe...@easthope.ca wrote: > From: Reco > Date: Sat, 28 Sep 2019 19:23:45 +0300 > > telnetd(8), "-a" and "-L" parameters. > > OK. > peter@joule:~$ grep telnet /etc/inetd.conf > telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd -a user > # Restart inetd. I fail to see how that's "OK". Where's "-L" (OK, it's "-E")? Why the in.telnetd, not the conventional telnetd? Try it: 1) apt install inetutils-inetd openbsd-inetd 2) echo 'telnet stream tcp nowait root/usr/sbin/tcpd /usr/sbin/telnetd -a none -E /bin/bash' > /etc/inetd.conf 3) service openbsd-inetd restart 4) telnet localhost > Then the result from telnet to localhost is in this little screenshot. > http://easthope.ca/TelnetScreenshot.jpg Please copy text to the mail next time. Reco
Re: Authentication for telnet.
From: Reco Date: Sat, 28 Sep 2019 19:23:45 +0300 > telnetd(8), "-a" and "-L" parameters. OK. peter@joule:~$ grep telnet /etc/inetd.conf telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd -a user # Restart inetd. Then the result from telnet to localhost is in this little screenshot. http://easthope.ca/TelnetScreenshot.jpg So in Debian 10 the manual for telnetd mentions -a but the screenshot suggests it is deprecated. The -L parameter might work; if I can find a suitable null procedure. Eg. grep telnet /etc/inetd.conf telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd -L /bin/null This null is ficticious of course. Concrete ideas welcome. Thanks, ... P. -- https://en.wikibooks.org/wiki/Medical_Machines Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Authentication for telnet.
On 2019-09-30 16:46, Andy Smith wrote: Hello, On Sun, Sep 29, 2019 at 07:28:45PM -0700, pe...@easthope.ca wrote: From: pe...@easthope.ca Date: Sat, 28 Sep 2019 08:15:07 -0700 > Opening a terminal emulator in default configuration on localhost, ... Localhost; not hosts. It's easy to get confused because your posting style is incredibly difficult to follow. You break threads and give very little detail. Help us to help you. > ... telnet opens in about 1 s. ... ssh requires about 15 s. If your SSH takes 15 seconds to connect to localhost then you have a configuration issue. As a first guess, check you do not have it using DNS. If it takes that long and eventually connects likely it's something like sshd is trying to figure out from its config file how it is supposed to authenticate, can't, so tries various methods until it finds one that works. "ssh -v localhost" might give you some hint as to where in the connection/login process the time is being spent. But because of your reluctance to tell us exactly what you're trying to do, we don't even know if ssh is the best tool for the job. Cheers, Andy -- Key ID4BFEBB31
Re: Authentication for telnet.
Hello, On Sun, Sep 29, 2019 at 07:28:45PM -0700, pe...@easthope.ca wrote: > From: pe...@easthope.ca > Date: Sat, 28 Sep 2019 08:15:07 -0700 > > Opening a terminal emulator in default configuration on localhost, ... > > Localhost; not hosts. It's easy to get confused because your posting style is incredibly difficult to follow. You break threads and give very little detail. Help us to help you. > > ... telnet opens in about 1 s. ... ssh requires about 15 s. If your SSH takes 15 seconds to connect to localhost then you have a configuration issue. As a first guess, check you do not have it using DNS. "ssh -v localhost" might give you some hint as to where in the connection/login process the time is being spent. But because of your reluctance to tell us exactly what you're trying to do, we don't even know if ssh is the best tool for the job. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: Authentication for telnet.
Andy Smith wrote: > > Is it a case that the hosts you are dealing with are too > underpowered CPU-wise to cope with SSH's encryption? > For what it's worth, I used to routinely SSH in to an appliance running on an extremely underpowered CPU (by today's standards), a 30 MHz MIPS core. The initial setup of the session could take an obnoxiously long time -- 15 to 20 seconds -- but everything was smooth after that. -dsr-
Re: Authentication for telnet.
On Mon, 30 Sep 2019 at 15:55, Tixy wrote: > On Mon, 2019-09-30 at 14:43 +1000, David wrote: > > A final puzzle is that I vaguely recall from other > > messages that you use something named Oberon. > It came up in the discussion of why he breaks threads every time he > posts to this list. The X-Mailer header in his emails says 'Oberon > Mail' and it seems that MUA doesn't set In-Reply-To or References like > it should do. Ah yeah, thanks for the reminder. And furthermore ... On Mon, 30 Sep 2019 at 08:15, wrote: > From: Reco Date: Sat, 28 Sep 2019 19:23:45 +0300 > > I have to ask - what are you trying to achieve? > An interactive shell session with minimal overhead. (Or maximal > efficiency.) The telnet client in the Oberon subsystem is noticeably > faster than competitors. I now notice that the reason that "Oberon" was lurking somewhere in my mind as a possible relevant factor is because Peter had in fact mentioned it earlier in this discussion.
Re: Authentication for telnet.
On Sun, Sep 29, 2019 at 02:36:02PM -0700, pe...@easthope.ca wrote: > From: Reco > Date: Sat, 28 Sep 2019 19:23:45 +0300 > > I have to ask - what are you trying to achieve? > > An interactive shell session with minimal overhead. (Or maximal > efficiency.) The telnet client in the Oberon subsystem is noticeably > faster than competitors. apt install xterm. Or press Ctrl+Alt+F2, no software installation required. > > ... your request seems to be awfully close to (in)famous A/B > > problem, ... > > I might have read about the A/B Problem years ago but don't recall or > understand well enough. You ask how to do an "A" while what you really need is to do "B", but you don't tell about "B" at all. AKA Perl's "XY" problem - [1]. > > telnetd(8), "-a" and "-L" parameters. > > Just had a look at the parameters (again?) and don't have a clear idea > to set them. Tips welcome. telnetd -a none -L /bin/bash Reco [1] https://www.perlmonks.org/?node=XY+Problem
Re: Authentication for telnet.
On Mon, 2019-09-30 at 14:43 +1000, David wrote: [...] > A final puzzle is that I vaguely recall from other > messages that you use something named Oberon. It came up in the discussion of why he breaks threads every time he posts to this list. The X-Mailer header in his emails says 'Oberon Mail' and it seems that MUA doesn't set In-Reply-To or References like it should do. > I'm totally ignorant about Oberon, so I looked at > wikipedia [1] which says that Oberon it is an operating > sytem with an unusual user interface. > So I feel a need to ask, is Oberon involved here? -- Tixy
Re: Authentication for telnet.
On Sun, 29 Sep 2019 at 01:33, wrote: > Opening a terminal emulator in default configuration on localhost, > LXTerminal for example, doesn't require authentication. Can telnet > work similarly? Ie. "telnet localhost" succeeds without login. Ok, the guessing game continues, we're all trying to help you but no-one has a clue what the actual question is, or why, so I'll take a turn... About lxterminal: lxterminal runs a GUI application on your host. It uses libc so that your CPU can communicate directly with your keyboard and screen in the most efficient way possible in GUI land. About telnet: telnet manpage says """ used for interactive communication with another host using the TELNET protocol """ So telnet ... is a tool for using a *network* protocol to communicate with a *remote* host. So that's not efficient at all. Every keystroke goes via the network stack, requiring individual client and server processes, see https://en.wikipedia.org/wiki/Telnet The guessing game: So the first puzzle is why you seem to be in some way comparing two vastly different things, lxterminal and telnet. The second puzzle is why you have a legitimate reason to 'telnet localhost' because none of us can think of a good reason. So until you tell us what the good reason is then it appears to us that you are doing something apparently ridiculous due to ignorance (yours or ours). This is a crucial question, please don't skip it if you reply. The third puzzle is whether or not you have a telnet server running on localhost and allowed by any firewall. Because you wrote that > "telnet localhost" succeeds without login. Please show what output do you get when you run 'telnet localhost'. Does it succeed now without login, or is that your unachieved goal? The fourth puzzle is what actually is your actual question. You wrote: > Can this be accomplished by configuration of PAM ? But it's unclear what the word "this" in that sentence actually refers to. A final puzzle is that I vaguely recall from other messages that you use something named Oberon. I'm totally ignorant about Oberon, so I looked at wikipedia [1] which says that Oberon it is an operating sytem with an unusual user interface. So I feel a need to ask, is Oberon involved here? Is this question about software provided by the Debian project? Because that is the unspoken assumption here, and if that is not the case then then our answers might be completely irrelevant. [1] https://en.wikipedia.org/wiki/Oberon_(operating_system)
Re: Authentication for telnet.
From: Andy Smith Date: Sun, 29 Sep 2019 22:51:22 + > Is it a case that the hosts you are dealing with ... From: pe...@easthope.ca Date: Sat, 28 Sep 2019 08:15:07 -0700 > Opening a terminal emulator in default configuration on localhost, ... Localhost; not hosts. Also, From: peasth...@shaw.ca Date: Mon, 14 Jun 2010 11:03:50 -0700 > ... inside my Shorewalled network. From: Andy Smith Date: Sun, 29 Sep 2019 22:51:22 + > Is it a case that the hosts you are dealing with are too > underpowered CPU-wise to cope with SSH's encryption? From: peasth...@shaw.ca Date: Mon, 14 Jun 2010 11:03:50 -0700 > ... telnet opens in about 1 s. ... ssh requires about 15 s. Any computer built since 1990 should be able to run a plain old terminal session. Regards, ... P. -- https://en.wikibooks.org/wiki/Medical_Machines Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Authentication for telnet.
On Sun, Sep 29, 2019 at 10:51:22PM +, Andy Smith wrote: > On Sun, Sep 29, 2019 at 02:36:02PM -0700, pe...@easthope.ca wrote: > > An interactive shell session with minimal overhead. (Or maximal > > efficiency.) > I am old enough to remember how we used to remotely manage machines > before SSH was invented: rlogin. Oh, I see now that you were interested in passwordless equivalent of "telnet localhost". It is confusing why you would need to do this to localhost as you could just type "bash" (or dash or zsh or whatever) to get a new shell. So it would help our understanding if you were to explain what your use case is for this new interactive shell session. If you are in some sort of graphical desktop then as you already say, the usual method is just to open a new terminal emulator. On the console you could switch to a new virtual console ctrl+alt+F1, F2, F3 etc. That would have a login prompt though. Would that solution be good enough if it was automatically logged in as your user? If you are just trying to execute things as another use then su or sudo may be more appropriate. "sudo -u anotheruser -s" gets you an interactive shell session as anotheruser, and can be configured to be passwordless if you like. I mentioned rlogin. With rlogin you can still use it over localhost to switch between users in a passwordless manner. So too could SSH, of course. If it's only to the same host though it seems overkill compared to su or sudo. So I think we really do still need to know more about your use case. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: Authentication for telnet.
Hello, On Sun, Sep 29, 2019 at 02:36:02PM -0700, pe...@easthope.ca wrote: > From: Reco > > I have to ask - what are you trying to achieve? > > An interactive shell session with minimal overhead. (Or maximal > efficiency.) The telnet client in the Oberon subsystem is noticeably > faster than competitors. Because such a thing is hideously insecure, it has fallen into disuse and SSH is the name of the game these days, Even if you do not require the security of SSH, the mere fact that SSH is ubiquitous means that you may have an easier time using SSH for this. Have you tried SSH and found it lacking somehow? Is it a case that the hosts you are dealing with are too underpowered CPU-wise to cope with SSH's encryption? I am old enough to remember how we used to remotely manage machines before SSH was invented: rlogin. You can still install rlogin on Debian, and by crafting a suitable $HOME/.rhosts file you can provide passwordless plain text login capability. "man rlogin" and "man 5 rhosts" should get you going. I still think it is a really bad idea unless SSH is totally out of the question. Finally, it is possible to spawn a shell on a particxular port with socat and then use socat at the other end to connect to it, to provide an interactive shell session again with no authentication or encryption. See: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method2usingsocat > > ... your request seems to be awfully close to (in)famous A/B > > problem, ... > > I might have read about the A/B Problem years ago but don't recall or > understand well enough. It's when someone has a problem, and they think a particular method will solve it, so they ask about that method rather than the problem itself. They risk missing a much better solution because they focussed on the particular method they knew of. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: Authentication for telnet.
From: Reco Date: Sat, 28 Sep 2019 19:23:45 +0300 > I have to ask - what are you trying to achieve? An interactive shell session with minimal overhead. (Or maximal efficiency.) The telnet client in the Oberon subsystem is noticeably faster than competitors. > ... your request seems to be awfully close to (in)famous A/B > problem, ... I might have read about the A/B Problem years ago but don't recall or understand well enough. > telnetd(8), "-a" and "-L" parameters. Just had a look at the parameters (again?) and don't have a clear idea to set them. Tips welcome. Regards, ... Peter E. -- https://en.wikibooks.org/wiki/Medical_Machines Tel: +1 604 670 0140Bcc: peter at easthope. ca
Re: Authentication for telnet.
Hi. On Sat, Sep 28, 2019 at 08:15:07AM -0700, pe...@easthope.ca wrote: > Opening a terminal emulator in default configuration on localhost, > LXTerminal for example, doesn't require authentication. Can telnet > work similarly? Ie. "telnet localhost" succeeds without login. > > Can this be accomplished by configuration of PAM ? telnetd(8), "-a" and "-L" parameters. No PAM configuration required. But your request seems to be awfully close to (in)famous A/B problem, so I have to ask - what are you trying to achieve? Reco
Authentication for telnet.
Opening a terminal emulator in default configuration on localhost, LXTerminal for example, doesn't require authentication. Can telnet work similarly? Ie. "telnet localhost" succeeds without login. Can this be accomplished by configuration of PAM ? Thanks,... Peter E. -- https://en.wikibooks.org/wiki/Medical_Machines Tel: +1 604 670 0140Bcc: peter at easthope. ca