problems logging with telnet

Doc_doggo · 01-12-2017, 09:17 AM

hello people, i am having a problem logging into a remote server using an expect script.

More specifically i am using said script to log in a server via ssh, that part is successful, but once connected to the first server i try to connect to another pc via telnet and the connection times out, the curiosity is if i replicate the whole process manually (i.e. i am the one typing all the commands) the telnet works, i will put here a copy of the scrip (due to security reasons all sensitive information was altered)

Code:

#!/usr/bin/expect -f
 
set timeout 180

expect "$"

spawn ssh moon_moon@ge.ne.ric.ip
expect "moon_moon@ge.ne.ric.ip's password: "
send "who_invited_moon_moon\r"

expect "Your option is: "

send "0\r"

expect "$ "
spawn date
expect "$ "

spawn telnet a.no.ther.ip

expect "Trying a.no.ther.ip... "

expect "*username: "
#send "moon_moon\r"
#expect "password: "
#send "who_invited_moon_moon\r"
#expect "# "
##send "instructions"
#expect "# "
#send "instructions"

#interact

so when i run this script the terminal freezes showing this
spawn telnet a.no.ther.ip
Trying a.no.ther.ip...

thank you all in advance

Turbocapitalist · 01-12-2017, 09:38 AM

Welcome.

I would very much avoid using expect and use keys for authentication. It's both difficult and unsafe. Either RSA or Ed25519 keys will work. Keys are safer and easy.

With key-based authentication, you'll be able to do it in one line:

Code:

ssh -i ~/.ssh/a_key_rsa -t moon_moon@ge.ne.ric.ip 'telnet a.no.ther.ip'

Additionally, once it's working, you can set the key so that it can only execute that one command.

Along the same lines, telnet as a protocol was deprecated in the 1990's. It's now 2017, there should be a high priority made on getting rid of it now.

Doc_doggo · 01-12-2017, 09:54 AM

first of all thak you Turbocapitalist for the help it worked like a charm

Turbocapitalist · 01-12-2017, 10:08 AM

No worries.

On the machine ge.ne.ric.ip in the account for moon_moon, you can modify the public key so that the key can only run telnet to a.no.ther.ip and nothing else.

If you have the default location for authorized_keys file on ge.ne.ric.ip you can find the public key and prepend command="" to it. That way it will run the designated command automatically and nothing else will be possible with that key.

Code:

command="/usr/bin/telnet a.no.ther.ip" ssh-ed25519 AAAAC3…
# or 
command="/usr/bin/telnet a.no.ther.ip" ssh-rsa AAAAC3…

The full description of the authorized_keys file format is in the manual page for sshd

Doc_doggo · 01-12-2017, 12:22 PM

Quote:

Originally Posted by Turbocapitalist

No worries.

On the machine ge.ne.ric.ip in the account for moon_moon, you can modify the public key so that the key can only run telnet to a.no.ther.ip and nothing else.

If you have the default location for authorized_keys file on ge.ne.ric.ip you can find the public key and prepend command="" to it. That way it will run the designated command automatically and nothing else will be possible with that key.

Code:

command="/usr/bin/telnet a.no.ther.ip" ssh-ed25519 AAAAC3…
# or 
command="/usr/bin/telnet a.no.ther.ip" ssh-rsa AAAAC3…

The full description of the authorized_keys file format is in the manual page for sshd

once again thaks for the info, but one mor question were i to need to connect to many pc's can i make something like this

Code:

command="/usr/bin/telnet a.no.ther.ip" ssh-rsa AAAAC3…
command="/usr/bin/telnet a.no.ther.ip2" ssh-rsa AAAAC3…
.
.
.

and one last question what does the AAAc3 stands for?
once more thanks and sorry for the inconvenience

Jjanel · 01-18-2017, 05:40 PM

>what does the AAAc3 stands for?

I got 'tripped' on this too, *until* I noticed the 3dots elipsis in prior posts: AAAc3...
Then I found a man page here with an example using AAAc...: (formatting 'broken' in that page too!)

An example authorized_keys file:

# Comments allowed at start of line
ssh-rsa AAAAB3Nza...LiPk== user@example.net
from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
AAAAB2...19Q== john@example.net
command="dump /home",no-pty,no-port-forwarding ssh-dss
AAAAC3...51R== example.net

So, it's just a *random example* key, like filename [MYname] vs. filename [as a keyword]!

Turbocapitalist · 01-18-2017, 11:56 PM

Quote:

Originally Posted by Doc_doggo

once again thaks for the info, but one mor question were i to need to connect to many pc's can i make something like this

Code:

command="/usr/bin/telnet a.no.ther.ip" ssh-rsa AAAAC3…
command="/usr/bin/telnet a.no.ther.ip2" ssh-rsa AAAAC3…
.
.
.

(Sorry I missed seeing the reply.)

You can make as many keys as you need and put them in the bastion host's / jump host's authorized_keys file. If there is a limit on the number of keys, it is quite high. Each key can be customized with a command="" to launch telnet. Again, you still want to get rid of the telnet servers as soon as possible. If you can't run full-blown OpenSSH, you can try Dropbear, which is modular.

However, there is a low limit on the number of keys ssh-agent can effectively use on the client you are connecting from to the bastion host / jump host. You can get around that limit by making shortcuts in ~/.ssh/config for each targeted telnet server that include IdentitiesOnly and the appropriate IdentityFile entry.