LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 01-31-2008, 04:41 AM   #1
xunil321
Member
 
Registered: Mar 2004
Posts: 33

Rep: Reputation: 15
Remote Telnet as "root" into SLES 10 system


Although the /etc/securetty file contains entries like pts/0...pts/24
it is not possible to (remote) telnet as root to a SLES10 SP1 system.
The /var/log/messages tells this:

pam_securetty(login:auth):access denied: tty 'pts/0' is not secure !

Normal users are able to remote login and the firewall is off.

Many thanks for all hints!

RainerB.
 
Old 01-31-2008, 04:59 AM   #2
Zmyrgel
Senior Member
 
Registered: Dec 2005
Location: Finland
Distribution: Slackware, CentOS, RHEL, OpenBSD
Posts: 1,006

Rep: Reputation: 37
First of all, don't use telnet... use ssh ... seriously.

Now that that's taken care of. Edit the /etc/ttys or similar file where the pts's are listed and there should be line there which specifies where root can login. Look for entry like secure off or something like that.

That might be the problem.
 
Old 01-31-2008, 05:01 AM   #3
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Quote:
it is not possible to (remote) telnet as root to a SLES10 SP1 system
That is correct. If you have a user who wants to do this, LART them repeatedly until the message sinks in.

The correct tool to remote manage SLES (or, indeed, any system) is openSSH.
 
Old 01-31-2008, 05:29 AM   #4
xunil321
Member
 
Registered: Mar 2004
Posts: 33

Original Poster
Rep: Reputation: 15
@Zmyrgel
Unfortunately there is no such /dev/ttys in SLES 10.

Rainer
 
Old 01-31-2008, 05:56 AM   #5
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Quote:
Unfortunately there is no such /dev/ttys in SLES 10.
Tough.
This is A Good Thing.

You are not going to get much help from us when it comes to compromising your system.
There are enough insecure computers out there without adding yours to the bunch. Did you know that linux servers are favorite for controlling botnets?
http://it.slashdot.org/article.pl?sid=07/10/05/1234217
http://www.net-security.org/secworld.php?id=5129
http://www.mailradar.com/articles/Op...r-8/page1.html

Absolutely do not use telnet... at all.
http://blogs.ittoolbox.com/security/...internet-14547
http://searchsecurity.techtarget.com...ml?track=sy160

What is wrong with ssh?

http://suso.org/docs/shell/ssh.sdf

Last edited by Simon Bridge; 01-31-2008 at 06:01 AM.
 
Old 02-01-2008, 05:12 AM   #6
Zmyrgel
Senior Member
 
Registered: Dec 2005
Location: Finland
Distribution: Slackware, CentOS, RHEL, OpenBSD
Posts: 1,006

Rep: Reputation: 37
Quote:
Originally Posted by xunil321 View Post
@Zmyrgel
Unfortunately there is no such /dev/ttys in SLES 10.

Rainer
I have following line in my /etc/ttys [running OpenBSD]:
Code:
tty00   "/usr/libexec/getty std.9600"   unknown off
I need to change the option to following to allow logins from serial:
Code:
tty00   "/usr/libexec/getty std.9600"   vt220 on secure
I think something similar needs to be done on SLED to allow root telnet connections. Have you checked the /etc/securetty file for lines similar to above.
This is still ridiculously unsecure as telnet sends passwords in plaintext and anyone in your network can then get systems root password. You have been warned.

But seriously, if you don't have any other reason but to allow remote logins to the computer, use OpenSSH. It's easier to setup and a lot more secure option than telnet.

Last edited by Zmyrgel; 02-01-2008 at 05:24 AM.
 
Old 02-03-2008, 12:46 AM   #7
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Zmyrgel: why are you helping this guy?
 
Old 02-04-2008, 12:45 AM   #8
Zmyrgel
Senior Member
 
Registered: Dec 2005
Location: Finland
Distribution: Slackware, CentOS, RHEL, OpenBSD
Posts: 1,006

Rep: Reputation: 37
Quote:
Originally Posted by Simon Bridge View Post
Zmyrgel: why are you helping this guy?
Well, I'm such a nice guy

If he wants to compromise his network, fine. As long as it doesn't do it at my networks then it's cool.

I don't know anything beyond what I've said here about getting the telnet to work as root so if he doesn't get it to work then he's on his own.

He might have a reason to get telnet to work as root. I, personally don't have a clue what that could be but he might have a reason.
 
Old 02-04-2008, 03:28 AM   #9
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Quote:
Originally Posted by Zmyrgel View Post
Well, I'm such a nice guy

If he wants to compromise his network, fine. As long as it doesn't do it at my networks then it's cool.
Unfortunately, compromising his network makes all our networks less secure.

Have a look through those links I provided earlier.

The criminals who get a-hold of his server will most likely use it to run a botnet as a master node. In other words, they will point it at us. Now, removing this one will probably not make the internet much safer for freedom, democracy and fake celebrity pron.... but lets not hand out an extra gun OK?

Lets not help people do dumb things.
 
Old 02-04-2008, 03:48 AM   #10
Zmyrgel
Senior Member
 
Registered: Dec 2005
Location: Finland
Distribution: Slackware, CentOS, RHEL, OpenBSD
Posts: 1,006

Rep: Reputation: 37
Quote:
Originally Posted by Simon Bridge View Post
Unfortunately, compromising his network makes all our networks less secure.

Have a look through those links I provided earlier.

The criminals who get a-hold of his server will most likely use it to run a botnet as a master node. In other words, they will point it at us. Now, removing this one will probably not make the internet much safer for freedom, democracy and fake celebrity pron.... but lets not hand out an extra gun OK?

Lets not help people do dumb things.
Fine.

I still don't get where they even get the ideas to use telnet or better yet, rlogin and such. When I started my Unix-like experiences I didn't hear about them anywhere and used SSH. Only mention to those services where on SSH pages where it clearly states that SSH replaced them.

At least telnet is still useful but not when trying to get a root login to work
 
Old 02-04-2008, 04:07 AM   #11
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
I think the only reason telnet is still around is for the windows boxes - it used to be you had to install a 3rd party client to use OpenSSH. Don't know about now. I have met experienced sysadmins who've never heard of SSH. They were all Windows Certified. In the *nix world you cannot move without someone giving you a security lecture. But Windows is about convenience.
 
Old 02-04-2008, 07:55 PM   #12
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 7.7 (?), Centos 8.1
Posts: 17,863

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
The only thing I would use telnet for is remote dubugging eg smtp as

telnet box 25

which enables you to manually send /recv mail cmds to check exactly what the server is saying. In principle any text oriented service can be tested this way.
Definitely wouldn't use it for logging into a terminal, use ssh.
 
Old 02-04-2008, 08:58 PM   #13
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
AFAIK: telnet to port 25 need not actually start a telnet session (unless the smtp server also has a telnet service listening on port 25...)- you do not log in or do anything that would not normally be sniffable anyway. It does generate useful system messages. Thus it is a popular method of probing smtp services - especially on MS Exchange-based networks.

What this does is exploit telnet's clear text messages to run a very slow smtp session. In this way, the exact point of trouble can be isolated.

A security issue is that a valid email address is needed... so a throwaway account should be created for testing.

Encrypting the signal is not going to be useful, as smtpd needs to understand instructions.

Of course, I could be wrong here.
 
Old 02-05-2008, 12:39 AM   #14
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 7.7 (?), Centos 8.1
Posts: 17,863

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Indeed, only one service/daemon/server_sw_component can bind to a given port at a time, so normally it'd be an smtp server on port 25 (see /etc/services) eg sendmail.
The telnet client simply sends ascii text to the host+port specified.
No telnet server required.
In fact you can test your own homegrown/written server(s) if they respond in/to plain text.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
newbie question: whats the difference between "su root", "su" and "su -&quo mojarron Slackware 9 12-07-2009 04:08 PM
Standard commands give "-bash: open: command not found" even in "su -" and "su root" mibo12 Linux - General 4 11-11-2007 10:18 PM
How do I remove "Your default context is root:system_r:unconfined_t." when I Telnet? shsaifee Linux - Security 2 06-23-2007 10:59 PM
System hangs on boot - "Mounting root file system" fails with Via VT6410 enabled Eagleorn Linux - Hardware 3 09-21-2006 12:58 PM
cu "connect to remote system" program kpachopoulos Linux - General 1 02-03-2005 11:56 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration