Re: allowing telnet for only a few users?

To: debian-user@lists.debian.org
Subject: Re: allowing telnet for only a few users?
From: bob@proulx.com (Bob Proulx)
Date: Sat, 22 Jun 2002 00:00:50 -0600
Message-id: <[🔎] 20020622060050.GC31030@misery.proulx.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20020622023808.GA1008@kitenet.net>
References: <[🔎] 20020622023808.GA1008@kitenet.net>

> Does anyone know how to set up telnetd so only a couple of users can use
> telnet to log in, and the rest must use some other, more secure method,
> such as ssh? I have a few secure guest accounts that I want to allow
> telnet for, while disabling it for everyone who can get to a shell.

AFAIK this can't be done strictly inside of a stock telnetd.  The
program is not designed for user based control.  Trying to do it
outside of telnet is a pain but possible.

Depending upon the version of telnetd you might be able to override
the default login.  The debian version allows -L loginprogram to be
specified.  You could supply your own login program which only allowed
logins of the specified user.  Check out the man page of in.telnetd
for details.  I have not tried this myself.  Be careful as it is
possible to create security holes when doing these types of things.

Even for telnets that don't use an external login program the code for
telnetd is free.  It would be possible to add a user control feature
to the daemon.  Grab the source code and hack that in.  Put a check
for (getuid() == SPECIAL_USER) and you have what you need.

Also, the problem with telnet is that passwords are sent in the clear.
Anyone that is able to get the password can log into the account and
that is all there is to it.  But since you only want to enable this
for your 'secure' accounts you probably don't care about that.

You can use 'tcpd' wrappers to allow or deny based upon IP address.
IP based security relies upon the integrity of your network.  In a
closed isolated network you might be able to claim some security based
upon that.  Even in a hostile Internet this provides additional
security.  But it should not be relied upon to keep the crackers out.

In any case, allow / deny based upon an IP address will not block a
user from logging in if they are coming from one of the allowed IP
addresses.  So this fails to meet your description.  But you might be
able to restrict telnet only from a particular location and that might
be enough for you.

Bob

Attachment: pgpMfycN9vC7d.pgp
Description: PGP signature

Reply to:

References:
- allowing telnet for only a few users?
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: network bandwidth check
Next by Date: About GNOME Setting and XMMS Sound
Previous by thread: Re: allowing telnet for only a few users?
Next by thread: Creating .deb package
Index(es):
- Date
- Thread