Re: harden-clients idea

To: Kjetil Kjernsmo <kjetil@kjernsmo.net>
Cc: debian-security@lists.debian.org
Subject: Re: harden-clients idea
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Tue, 8 Oct 2002 15:08:25 -0300
Message-id: <[🔎] 20021008180825.GC1335@llama.nslug.ns.ca>
Mail-followup-to: Kjetil Kjernsmo <kjetil@kjernsmo.net>, debian-security@lists.debian.org
In-reply-to: <[🔎] 200210081247.32167.kjetil@kjernsmo.net>
References: <[🔎] 200210081247.32167.kjetil@kjernsmo.net>

On Tue, Oct 08, 2002 at 12:47:32PM +0200, Kjetil Kjernsmo wrote:
> Hi folks!
> 
> I just had an idea the other, er..., night, that still seemed smart when 
> I woke up, so I figured I'll post it here in case it is... :-)
> 
> The problem with e.g. telnet isn't really that it shouldn't be used for 
> anything, but that it shouldn't be used by somebody. It is quite OK to 
> use to check what the webserver responds to a particular request, for 
> example. But, you wouldn't want ma to use it and send her password in 
> cleartext.

 As others have said, netcat (and netcat6 :) are better for network monkeying.

 Telnet has legitimate uses that you didn't mention.  For example,
everyone's favourite socialist institution, the public library in here in
Halifax, Nova Scotia (on the scenic east coast of Canada :) has an online
system that you telnet into.  You can put holds on books, see when the stuff
you have out is due, and do searches on the library catalogue.  Very nice.
It uses the telnet protocol, not just a raw TCP connection, so netcat is
inadequate.  It would be nice if you could use SSH for it, but you can't.  I
don't think they have the CPU power to handle SSH.  (One of the library
admins is on the local LUG mailing list, so I don't think incompetence is a
problem :)

> 
> What I did was that I changed group ownership of /usr/bin/telnet.netkit 
> to staff and made it executable for only root and staff. I figured, 
> something like that could harden-clients do too, configurable through 
> standard means. 

 You might want to make a telnet group, and only add users to it once your
lecture about the dangers of telnet has sunk in.  (i.e. people can only use
telnet once they know not to type anything sensitive into it.)
Alternatively, you could replace the telnet binary with a wrapper that 
allows users to telnet to only a few known telnet servers that you decide to
allow.  Attempts to telnet to other hosts would have the wrapper give a
lecture about the insecurity of telnet :)  You would dpkg-divert
/usr/bin/telnet to /usr/bin/plain-old-insecure-telnet, so people couldn't
use it without either going through the wrapper or typing the fact that
telnet is not secure.  You wouldn't need the wrapper to be setuid or gid,
because what I propose is enough to prevent people from blithely using
telnet without having any idea that it's bad.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Reply to:

Follow-Ups:
- Re: harden-clients idea
  - From: martin f krafft <madduck@debian.org>

References:
- harden-clients idea
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>

Prev by Date: Re: harden-clients idea
Next by Date: Re: harden-clients idea
Previous by thread: Re: harden-clients idea
Next by thread: Re: harden-clients idea
Index(es):
- Date
- Thread