[SOLVED] Connection problem with telnet on Solaris 10

miedward · 06-25-2009, 10:03 AM

When connecting to a particular Solaris 10 server via telnet (which I did not set up and is needed by some hardware) I am getting some peculiar behavior.

$ telnet xx.xx.xx.xx
Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
Connection closed by foreign host.

I eventually stumbled upon the fact that they had an extensive hosts.allow file (hosts.deny ALL:ALL as well). So I added "ALL: .my.domain" and expected everything to work. Now it waits longer before kicking me out, but still won't even give a login prompt.

It is acting like it is still being blocked by tcp_wrappers, but I am fairly sure that is letting me through. Is there something similar that could still be filtering things after the initial connection?

$ inetadm -l telnet
SCOPE NAME=VALUE
name="telnet"
endpoint_type="stream"
proto="tcp6"
isrpc=FALSE
wait=FALSE
exec="/usr/local/sbin/tcpd"
arg0="/usr/sbin/in.telnetd"
user="root"
default bind_addr=""
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
default tcp_trace=FALSE
tcp_wrappers=TRUE
default connection_backlog=10

miedward · 06-25-2009, 12:38 PM

Quote:

Originally Posted by miedward

$ inetadm -l telnet
SCOPE NAME=VALUE
name="telnet"
endpoint_type="stream"
proto="tcp6"
isrpc=FALSE
wait=FALSE
exec="/usr/local/sbin/tcpd"
arg0="/usr/sbin/in.telnetd"

Another fellow in my office noticed that this is actually running tcpd and not in.telnetd directly. So since all the rules in hosts.allow were keyed for the "in.telnetd" service it was refusing all telnet connections.

Now my question is, is there a reason to run telnet through tcpd? And if you did, how would I make the hosts.allow rules work?

(yes I know telnet is evil, but it is needed by some hardware)

bathory · 06-25-2009, 02:24 PM

This is how tcp_wrappers works. You don't run the service (in.telnetd in your case) directly, but through in.tcpd. It's in.tcpd that listens for connections on port 23 and when there is one it looks /etc/hosts.allow, /etc/hosts.deny to see if it has to allow it. If everything is ok then it passes control to the real daemon in.telnetd.
I guess someone has installed in.tcpd at a later time (that's why it's installed in /usr/local) and had configured it wrong.
If you want to enable it make use of its "security" features of hosts.allow and hosts.deny, take a look at this howto.

Regards