> Does anyone know how to set up telnetd so only a couple of users can use > telnet to log in, and the rest must use some other, more secure method, > such as ssh? I have a few secure guest accounts that I want to allow > telnet for, while disabling it for everyone who can get to a shell. AFAIK this can't be done strictly inside of a stock telnetd. The program is not designed for user based control. Trying to do it outside of telnet is a pain but possible. Depending upon the version of telnetd you might be able to override the default login. The debian version allows -L loginprogram to be specified. You could supply your own login program which only allowed logins of the specified user. Check out the man page of in.telnetd for details. I have not tried this myself. Be careful as it is possible to create security holes when doing these types of things. Even for telnets that don't use an external login program the code for telnetd is free. It would be possible to add a user control feature to the daemon. Grab the source code and hack that in. Put a check for (getuid() == SPECIAL_USER) and you have what you need. Also, the problem with telnet is that passwords are sent in the clear. Anyone that is able to get the password can log into the account and that is all there is to it. But since you only want to enable this for your 'secure' accounts you probably don't care about that. You can use 'tcpd' wrappers to allow or deny based upon IP address. IP based security relies upon the integrity of your network. In a closed isolated network you might be able to claim some security based upon that. Even in a hostile Internet this provides additional security. But it should not be relied upon to keep the crackers out. In any case, allow / deny based upon an IP address will not block a user from logging in if they are coming from one of the allowed IP addresses. So this fails to meet your description. But you might be able to restrict telnet only from a particular location and that might be enough for you. Bob
Attachment:
pgpMfycN9vC7d.pgp
Description: PGP signature