Re: anyone using telnet
on Mon, Mar 19, 2001 at 01:07:51PM -0400, Peter Cordes ([EMAIL PROTECTED]) wrote: Don't even bother with telnet, it's obsolete. Install sshd on any machines that don't have it yet, and don't install telnet on the public machine. On Wed, Mar 21, 2001 at 11:46:34PM -0800, [EMAIL PROTECTED] wrote: In this context, I agree with the statements above (a public access kiosk should use SSH). However, telnet of itself remains a useful _client_, largely for accessing arbitrary services for testing. I would tend to support rooting out all instances of telnet _daemons_ (servers). However I don't see a great deal of harm in providing a telent client to informed users. Likely not those you'd find on a public access system. I don't even use it for that. I install netcat on all of my boxes that I test from, and it works great, and it exits with a ^C instead of a "^] quit". Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: anyone using telnet
On Thu, Mar 22, 2001 at 10:36:21AM -0800, Mike Fedyk wrote: I don't even use it for that. I install netcat on all of my boxes that I test from, and it works great, and it exits with a ^C instead of a "^] quit". Yes, that's what I was thinking when I said telnet was obsolete. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: anyone using telnet
on Mon, Mar 19, 2001 at 01:07:51PM -0400, Peter Cordes ([EMAIL PROTECTED]) wrote: On Mon, Mar 19, 2001 at 08:58:06AM -0300, Pedro Zorzenon Neto wrote: ... Don't even bother with telnet, it's obsolete. Install sshd on any machines that don't have it yet, and don't install telnet on the public machine. In this context, I agree with the statements above (a public access kiosk should use SSH). However, telnet of itself remains a useful _client_, largely for accessing arbitrary services for testing. I would tend to support rooting out all instances of telnet _daemons_ (servers). However I don't see a great deal of harm in providing a telent client to informed users. Likely not those you'd find on a public access system. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org pgpvPpFiavmQc.pgp Description: PGP signature
Re: anyone using telnet
on Mon, Mar 19, 2001 at 01:07:51PM -0400, Peter Cordes ([EMAIL PROTECTED]) wrote: Don't even bother with telnet, it's obsolete. Install sshd on any machines that don't have it yet, and don't install telnet on the public machine. On Wed, Mar 21, 2001 at 11:46:34PM -0800, kmself@ix.netcom.com wrote: In this context, I agree with the statements above (a public access kiosk should use SSH). However, telnet of itself remains a useful _client_, largely for accessing arbitrary services for testing. I would tend to support rooting out all instances of telnet _daemons_ (servers). However I don't see a great deal of harm in providing a telent client to informed users. Likely not those you'd find on a public access system. I don't even use it for that. I install netcat on all of my boxes that I test from, and it works great, and it exits with a ^C instead of a ^] quit. Mike
Re: anyone using telnet
On Thu, Mar 22, 2001 at 10:36:21AM -0800, Mike Fedyk wrote: I don't even use it for that. I install netcat on all of my boxes that I test from, and it works great, and it exits with a ^C instead of a ^] quit. Yes, that's what I was thinking when I said telnet was obsolete. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
anyone using telnet
Hi, I'd like anyone to be able to use the local keyboard of some machines to telnet/ssh to any other machine and use their account on the other machine. A simple solution would be create one acount for user "anyone" without password and restrict its login with rbash to use just telnet/ssh. Also disallow ftp for user "anyone". Do you think this is a good solution? Does it opens some security hole? Thanks, Pedro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: anyone using telnet
I when you say "their account" do you mean they have an account on the machine you're seeting up accounts for? Or is this machine some kind of "public kiosk" where anyone can get on? Allowing anyone to telnet in is a BAD idea. That means a script kiddie from Belguim can telnet in. If you want to set up a public setup, make a username and password, and just post it. Also, this doesn't require the telnet or ssh daemon to be running (unless you need them for something else). Another solution is use NIS and have everyone's account information in one location, and share it across the machines. -rishi On Mon, 19 Mar 2001, Pedro Zorzenon Neto wrote: Hi, I'd like anyone to be able to use the local keyboard of some machines to telnet/ssh to any other machine and use their account on the other machine. A simple solution would be create one acount for user "anyone" without password and restrict its login with rbash to use just telnet/ssh. Also disallow ftp for user "anyone". Do you think this is a good solution? Does it opens some security hole? Thanks, Pedro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: anyone using telnet
On Mon, Mar 19, 2001 at 07:05:58AM -0500, Rishi L Khan wrote: I when you say "their account" do you mean they have an account on the machine you're seeting up accounts for? Or is this machine some kind of "public kiosk" where anyone can get on? Yes, it is a kind of "public kiosk". Nobody has logins at the location, but they can use it to access their acounts somewhere. Allowing anyone to telnet in is a BAD idea. That means a script kiddie from Belguim can telnet in. If you want to set up a public setup, make a username and password, and just post it. Also, this doesn't require the telnet or ssh daemon to be running (unless you need them for something else). I don't need them. Nobody will telnet to this machine. Another solution is use NIS and have everyone's account information in one location, and share it across the machines. -rishi On Mon, 19 Mar 2001, Pedro Zorzenon Neto wrote: Hi, I'd like anyone to be able to use the local keyboard of some machines to telnet/ssh to any other machine and use their account on the other machine. A simple solution would be create one acount for user "anyone" without password and restrict its login with rbash to use just telnet/ssh. Also disallow ftp for user "anyone". Do you think this is a good solution? Does it opens some security hole? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: anyone using telnet
On Mon, Mar 19, 2001 at 12:24:59PM +, Colin Phipps wrote: You'll have to tie down the telnet options somehow; looking at telnet(1) it has options for logging data etc (I'm thinking of one user enabling logging to capture other users' passwords). this restricted account should not have a writable home directory, the .bashrc files should have a very restricted environment set, along with a PATH of ~/bin only with a symlink to ssh and maybe telnet. anyone using the machine should log it all the way out to a getty and relogin to ensure no aliases or such are employed to cause troubles.. perhaps a better option even is to setup a menu so that interactive access to the local shell itself is not possible. i would also use idled to kill the login after a short period of inactivity as that can help kill any traps a previous luser might try and set. so long as the entire home directory is owned by root and read-only it shouldn't be possible to make any persistent changes to the account. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
anyone using telnet
Hi, I'd like anyone to be able to use the local keyboard of some machines to telnet/ssh to any other machine and use their account on the other machine. A simple solution would be create one acount for user anyone without password and restrict its login with rbash to use just telnet/ssh. Also disallow ftp for user anyone. Do you think this is a good solution? Does it opens some security hole? Thanks, Pedro
Re: anyone using telnet
I when you say their account do you mean they have an account on the machine you're seeting up accounts for? Or is this machine some kind of public kiosk where anyone can get on? Allowing anyone to telnet in is a BAD idea. That means a script kiddie from Belguim can telnet in. If you want to set up a public setup, make a username and password, and just post it. Also, this doesn't require the telnet or ssh daemon to be running (unless you need them for something else). Another solution is use NIS and have everyone's account information in one location, and share it across the machines. -rishi On Mon, 19 Mar 2001, Pedro Zorzenon Neto wrote: Hi, I'd like anyone to be able to use the local keyboard of some machines to telnet/ssh to any other machine and use their account on the other machine. A simple solution would be create one acount for user anyone without password and restrict its login with rbash to use just telnet/ssh. Also disallow ftp for user anyone. Do you think this is a good solution? Does it opens some security hole? Thanks, Pedro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: anyone using telnet
On Mon, Mar 19, 2001 at 07:05:58AM -0500, Rishi L Khan wrote: I when you say their account do you mean they have an account on the machine you're seeting up accounts for? Or is this machine some kind of public kiosk where anyone can get on? Yes, it is a kind of public kiosk. Nobody has logins at the location, but they can use it to access their acounts somewhere. Allowing anyone to telnet in is a BAD idea. That means a script kiddie from Belguim can telnet in. If you want to set up a public setup, make a username and password, and just post it. Also, this doesn't require the telnet or ssh daemon to be running (unless you need them for something else). I don't need them. Nobody will telnet to this machine. Another solution is use NIS and have everyone's account information in one location, and share it across the machines. -rishi On Mon, 19 Mar 2001, Pedro Zorzenon Neto wrote: Hi, I'd like anyone to be able to use the local keyboard of some machines to telnet/ssh to any other machine and use their account on the other machine. A simple solution would be create one acount for user anyone without password and restrict its login with rbash to use just telnet/ssh. Also disallow ftp for user anyone. Do you think this is a good solution? Does it opens some security hole?
Re: anyone using telnet
On Mon, Mar 19, 2001 at 08:58:06AM -0300, Pedro Zorzenon Neto wrote: I'd like anyone to be able to use the local keyboard of some machines to telnet/ssh to any other machine and use their account on the other machine. A simple solution would be create one acount for user anyone without password and restrict its login with rbash to use just telnet/ssh. Also disallow ftp for user anyone. Do you think this is a good solution? Does it opens some security hole? You'll have to tie down the telnet options somehow; looking at telnet(1) it has options for logging data etc (I'm thinking of one user enabling logging to capture other users' passwords). -- Colin Phippshttp://www.netcraft.com/
Re: anyone using telnet
On Mon, Mar 19, 2001 at 12:24:59PM +, Colin Phipps wrote: You'll have to tie down the telnet options somehow; looking at telnet(1) it has options for logging data etc (I'm thinking of one user enabling logging to capture other users' passwords). this restricted account should not have a writable home directory, the .bashrc files should have a very restricted environment set, along with a PATH of ~/bin only with a symlink to ssh and maybe telnet. anyone using the machine should log it all the way out to a getty and relogin to ensure no aliases or such are employed to cause troubles.. perhaps a better option even is to setup a menu so that interactive access to the local shell itself is not possible. i would also use idled to kill the login after a short period of inactivity as that can help kill any traps a previous luser might try and set. so long as the entire home directory is owned by root and read-only it shouldn't be possible to make any persistent changes to the account. -- Ethan Benson http://www.alaska.net/~erbenson/ pgp06pazgiHdu.pgp Description: PGP signature
Re: anyone using telnet
On Mon, Mar 19, 2001 at 08:58:06AM -0300, Pedro Zorzenon Neto wrote: Hi, I'd like anyone to be able to use the local keyboard of some machines to telnet/ssh to any other machine and use their account on the other machine. A simple solution would be create one acount for user anyone without password and restrict its login with rbash to use just telnet/ssh. Also disallow ftp for user anyone. Do you think this is a good solution? Does it opens some security hole? Instead of getty on the consoles, make inittab run a program that drops all priviledges, then asks connect to what machine?, and then runs the appropriate ssh command. Make sure the program uses exec, instead of passing it to the shell. That will stop a lot of tricks! Set the ssh options appropriately. You'll probably want to disable the ssh escape character and all port forwarding. Don't even bother with telnet, it's obsolete. Install sshd on any machines that don't have it yet, and don't install telnet on the public machine. Since users will have console access, make sure you turn off rebooting with the three finger salute, and set a password on lilo so users can't power cycle the machine and boot with init=/bin/bash. You might even want to mount the drives read-only, but you should probably have some kind of logging, in case people are connecting to stuff they shouldn't be. (ssh won't let people talk to FTP or SMTP servers, though, unlike telnet. This is a good thing.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE