LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices

Reply
 
Search this Thread
Old 06-16-2007, 03:33 AM   #1
daihard
Member
 
Registered: Jul 2003
Location: Seattle, WA
Distribution: Kubuntu 12.04
Posts: 913

Rep: Reputation: 32
Enabling remote root login for TELNET


Hi.

Yes, I know, this is a rather silly question. Who would want to use telnet instead of ssh today, let alone logging in as root!

Well, my boss wants me to figure out how. Most of our engineers run Windows XP on their workstations, and the standard remote connection software we use only supports telnet, not ssh.

I know that you can simply enable the "PermitRootLogin" parameter in /etc/ssh/sshd_config in order to enable remote root login for ssh. I haven't been able to figure out how to do the same for telnet, though. Could anyone help?

We have FreeBSD 6.1 (x86) and 6.2 (x64).

TIA,
Dai
 
Old 06-16-2007, 04:50 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Why couldn't they install putty? Even better, installing cygwin/X may be the most convenient, because you could run one of the gui config programs. It isn't necessary to allow root logins either.

For example: "ssh -X delllap system-config-services" will allow you to login to ssh as a regular user, and then enter the root password in the gnomesu dialog. Then the program starts up.
Alternatively, you could just "ssh -x <servername>" into the server, and then launch more than one program. You could even have different programs running on different servers and displayed in their own window on XP. Maybe if you did this yourself as a demonstration, you could convince the powers that be that using ssh would be better.

Telnet info:
First of all, is the telnet server even installed on the server? It is probably is configured via xinetd.
Look for an /etc/xinet.d/telnet file.
It may have user=root already, but you may need to change disable=yes to disable=no.
Code:
# default: off
# description: Telnet is the old login server which is INSECURE and should \
#       therefore not be used. Use secure shell (openssh).
#       If you need telnetd not to "keep-alives" (e.g. if it runs over a ISDN \
#       uplink), add "-n".  See 'man telnetd' for more details.
service telnet
{
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        disable         = yes
}
I had to install the server temporarily to get this info.

Last edited by jschiwal; 06-16-2007 at 04:53 AM.
 
Old 06-16-2007, 09:32 AM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by daihard
Yes, I know, this is a rather silly question. Who would want to use telnet instead of ssh today, let alone logging in as root!
I'll see your "silly" and raise you "completely asinine". Someone needs to fire your boss (no joke).

As mentioned there is free software for Windows to support ssh logons. I'm also curious to know why your engineers require root access to the box (rather than sudoer privileges for a couple required applications).
 
Old 06-16-2007, 10:56 AM   #4
daihard
Member
 
Registered: Jul 2003
Location: Seattle, WA
Distribution: Kubuntu 12.04
Posts: 913

Original Poster
Rep: Reputation: 32
Hi guys.

Thanks for the suggestions. As for cygwin/putty/etc, trust me, I have tried before. I thought poor security around telnet was a good enough reason to get rid of it. Unfortunately, it did not work that way. (The feedback from the IT was, "We're inside the corporate LAN. Why would security be an issue?"

I will need to put together a more convincing argument against telnte now.

As for my original "completely asinine" question, I have figured out a way to do that. Apparently FreeBSD does not control the telnet server via xinetd. Instead, they use the file called "/etc/inetd.conf" to control the telnet daemon. Now in order to allow remote root login via telnet, here's the solution I found:
Quote:
1) Open /etc/ttys as root.

2) Append "off secure" to the lines beginning with "tty" as follows.

ttyp0 none network off secure
ttyp1 none network off secure
ttyp2 none network off secure
ttyp3 none network off secure
ttyp4 none network off secure
ttyp5 none network off secure
..........

3) Restart the telnet daemon using the following command (as root).

# /etc/rc.d/inetd restart
I tried it and it worked. For now, though, I have disabled the "feature" again. I'll suggest against it to my boss once again. Wish me luck.
 
Old 06-16-2007, 05:28 PM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by daihard
The feedback from the IT was, "We're inside the corporate LAN. Why would security be an issue?"
If I could be of any assistance fielding that one:
  • It's contrary to best practices to use a clear-text protocol when sending authentication information and data.
  • I've frequently read that many security/data breaches occur internally. Sending clear text information around is practically begging for credentials and data to be stolen.
  • Given that you're allowing all engineers root access, they can do all sorts of neat tricks (hey, they're root) to steal or modify the data of each other.

Btw, I didn't mean that *your* question was asinine per se. Your boss and IT department don't sound very intelligent based on the limited info I've read in this thread, and they've put you in a bad situation. (In other words, I didn't intend it to be a personal attack on you.)

Finally, I'm still curious to know why all engineers need to have root access. It makes your job as a sysadmin that much more difficult.
 
Old 06-16-2007, 05:51 PM   #6
daihard
Member
 
Registered: Jul 2003
Location: Seattle, WA
Distribution: Kubuntu 12.04
Posts: 913

Original Poster
Rep: Reputation: 32
Quote:
Originally Posted by anomie
Btw, I didn't mean that *your* question was asinine per se. Your boss and IT department don't sound very intelligent based on the limited info I've read in this thread, and they've put you in a bad situation. (In other words, I didn't intend it to be a personal attack on you.)

Finally, I'm still curious to know why all engineers need to have root access. It makes your job as a sysadmin that much more difficult.
Yes, I totally understand what you mean. I am grateful that you're sharing my concern and highly appreciate all the advice you have given me.
 
Old 06-16-2007, 06:24 PM   #7
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Quote:
Apparently FreeBSD does not control the telnet server via xinetd. Instead, they use the file called "/etc/inetd.conf" to control the telnet daemon.
Xinetd is a newer version of inetd. See the inetd manpage for the format of the entries. Because a single file is used, the service to control is included in the entry. There may also be an inetd.conf manpage as well.

My suggestion on cygwin/x was to make it look attractive using ssh with X/windows so that it might be adopted for that reason even if they don't care about network security.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Solaris 10 & 11 telnet exploit allows remote root chort Solaris / OpenSolaris 3 03-02-2007 02:28 PM
Wish to know about how to do remote login through telnet sharad Linux - Networking 1 03-08-2006 08:12 AM
How to configure SLES9 to permit remote telnet login coffeebreak Suse/Novell 1 09-15-2005 09:46 PM
remote login via telnet metric_electric Linux - Security 5 06-03-2005 03:24 PM
Root login to telnet sarmadys Linux - Security 6 01-24-2002 01:09 PM


All times are GMT -5. The time now is 07:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration