LinuxQuestions.org - Enabling remote root login for TELNET

- *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)

- - Enabling remote root login for TELNET (https://www.linuxquestions.org/questions/%2Absd-17/enabling-remote-root-login-for-telnet-562192/)

Enabling remote root login for TELNET

Hi.

Yes, I know, this is a rather silly question. Who would want to use telnet instead of ssh today, let alone logging in as root!

Well, my boss wants me to figure out how. Most of our engineers run Windows XP on their workstations, and the standard remote connection software we use only supports telnet, not ssh. :(

I know that you can simply enable the "PermitRootLogin" parameter in /etc/ssh/sshd_config in order to enable remote root login for ssh. I haven't been able to figure out how to do the same for telnet, though. Could anyone help?

We have FreeBSD 6.1 (x86) and 6.2 (x64).

TIA,
Dai

Why couldn't they install putty? Even better, installing cygwin/X may be the most convenient, because you could run one of the gui config programs. It isn't necessary to allow root logins either.

For example: "ssh -X delllap system-config-services" will allow you to login to ssh as a regular user, and then enter the root password in the gnomesu dialog. Then the program starts up.
Alternatively, you could just "ssh -x <servername>" into the server, and then launch more than one program. You could even have different programs running on different servers and displayed in their own window on XP. Maybe if you did this yourself as a demonstration, you could convince the powers that be that using ssh would be better.

Telnet info:
First of all, is the telnet server even installed on the server? It is probably is configured via xinetd.
Look for an /etc/xinet.d/telnet file.
It may have user=root already, but you may need to change disable=yes to disable=no.

Code:

# default: off

# description: Telnet is the old login server which is INSECURE and should \

#      therefore not be used. Use secure shell (openssh).

#      If you need telnetd not to "keep-alives" (e.g. if it runs over a ISDN \

#      uplink), add "-n".  See 'man telnetd' for more details.

service telnet

{

        socket_type    = stream

        protocol        = tcp

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        disable        = yes

}

I had to install the server temporarily to get this info.

Quote:

Originally Posted by daihard

Yes, I know, this is a rather silly question. Who would want to use telnet instead of ssh today, let alone logging in as root!

I'll see your "silly" and raise you "completely asinine". Someone needs to fire your boss (no joke).

As mentioned there is free software for Windows to support ssh logons. I'm also curious to know why your engineers require root access to the box (rather than sudoer privileges for a couple required applications).

Hi guys.

Thanks for the suggestions. As for cygwin/putty/etc, trust me, I have tried before. I thought poor security around telnet was a good enough reason to get rid of it. Unfortunately, it did not work that way. (The feedback from the IT was, "We're inside the corporate LAN. Why would security be an issue?"

I will need to put together a more convincing argument against telnte now. :study:

As for my original "completely asinine" question, I have figured out a way to do that. Apparently FreeBSD does not control the telnet server via xinetd. Instead, they use the file called "/etc/inetd.conf" to control the telnet daemon. Now in order to allow remote root login via telnet, here's the solution I found:

Quote:

1) Open /etc/ttys as root.

2) Append "off secure" to the lines beginning with "tty" as follows.

ttyp0 none network off secure
ttyp1 none network off secure
ttyp2 none network off secure
ttyp3 none network off secure
ttyp4 none network off secure
ttyp5 none network off secure
..........

3) Restart the telnet daemon using the following command (as root).

# /etc/rc.d/inetd restart

I tried it and it worked. For now, though, I have disabled the "feature" again. I'll suggest against it to my boss once again. Wish me luck. :D

Quote:

Originally Posted by daihard

The feedback from the IT was, "We're inside the corporate LAN. Why would security be an issue?"

If I could be of any assistance fielding that one:

It's contrary to best practices to use a clear-text protocol when sending authentication information and data.
I've frequently read that many security/data breaches occur internally. Sending clear text information around is practically begging for credentials and data to be stolen.
Given that you're allowing all engineers root access, they can do all sorts of neat tricks (hey, they're root) to steal or modify the data of each other.

Btw, I didn't mean that *your* question was asinine per se. Your boss and IT department don't sound very intelligent based on the limited info I've read in this thread, and they've put you in a bad situation. (In other words, I didn't intend it to be a personal attack on you.)

Finally, I'm still curious to know why all engineers need to have root access. It makes your job as a sysadmin that much more difficult.

Quote:

Originally Posted by anomie

Yes, I totally understand what you mean. I am grateful that you're sharing my concern and highly appreciate all the advice you have given me. :cool:

Quote:

Apparently FreeBSD does not control the telnet server via xinetd. Instead, they use the file called "/etc/inetd.conf" to control the telnet daemon.

Xinetd is a newer version of inetd. See the inetd manpage for the format of the entries. Because a single file is used, the service to control is included in the entry. There may also be an inetd.conf manpage as well.

My suggestion on cygwin/x was to make it look attractive using ssh with X/windows so that it might be adopted for that reason even if they don't care about network security.