If the requirement is to just push some data out the port the folks are hitting with the telnet session, then perhaps netcat or some other utility would suffice, of course, the information, since it is unencrypted, should not be sensitive in any manner. We did something like this at nortel, to supply admins with info required to keep track of systems and their current states. Not that it was the prefere way, but, it was quick and dirty. The requirement for access from the outside to anyone is a kicker though in my mind. At nortel, access was limited to other internal systems to internal systems. What are your fools trying to accomplish? Thanks, Ron DuFresne On Tue, 11 Sep 2001, hermit1 wrote: > I have been asked for advice on how to do anonymous telnet to a server > here; the client could be anywhere. There is a need to provide access from > character-only terminals. Upon establishing the telnet session, a perl > script is supposed to run automatically. No, they didn't explain how > they expect a perl script to run without a user ID. The perl script will > accept strings of text and create queries to run against another > system. After I got over my bout of speechlessness I tried to explain why > it isn't feasible. > > Here are the major points I have. Comments on any or all of this is > welcome, corrections especially welcome. > > I refuse to customize the telnetd binary, the only way I know of to > eliminate the need for a user ID. I suspect changing some PAM > configuration might do it, but I don't want to try that, either. > > If I use the perl script instead of the shell in /etc/passwd, any > successful attempt to break out of the script into a shell should instead > log the user off the computer. Is there a known way to break this? > > Unless the strings accepted by the perl script are very carefully > validated, I assume that escape characters would allow the user to issue > system commands. I like the idea of rback from trusted solaris, but the > system is Solaris 7, not 8. Restricted shell would probably help, but I > know little about it. > > I would prefer that the developers would create their own telnet server > combined with the perl script, and I could have this run out of inetd on > port 23. I don't think altering one of the open source telnet servers > to [1. not require a login, and 2. automatically pass all input to the > perl script] would be difficult, and it is probably the safest way to meet > their goal. > > Comments? Laughter? > > Thanks > hermit1 > > > > > *************************************************** > This is an email. Don't rely on anything seen here > as being accurate without testing it yourself. > *************************************************** > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@nfr.com > http://list.nfr.com/mailman/listinfo/firewall-wizards > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards@nfr.com http://list.nfr.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Thu Sep 13 2001 - 11:55:54 PDT