topic Re: telnetd disablement period in Operating System - HP-UX

telnetd disablement period

Paul Mezzanini — Thu, 10 Jan 2002 19:46:39 GMT

While I'm posting my quesions I'll throw this one out to you guru's.

I'm in the process of disabling telnetd on my boxes in favor of ssh(d). For this transitional period I would like it so that if a user tries to telnet to a box it will echo back a reply and then disconnect.

I just want to tell the users that telnet service is no longer available and they will need to ssh in (and they can get it from bla bla bla bla)

I thought I could change inetd.conf's telnet line to point to echo "message goes here" or to a shell script that does the same thing. It just dumps the connect without any echos.

There has got to be an easy way to do this, I just don't know how :)

thx
-paul

Re: telnetd disablement period

Wilfred Chau_1 — Thu, 10 Jan 2002 19:57:26 GMT

In your inetd.conf file add the -b option as follow to display a message:

telnet stream tcp nowait root /usr/lbin/telnetd telnetd -b /etc/yourmessage

where /etc/yourmessage is a banner file.

Re: telnetd disablement period

Sridhar Bhaskarla — Thu, 10 Jan 2002 19:58:50 GMT

Hi Paul,

Yes there is.

One way I can think is to edit /etc/profile and keep a small scripts like this somewhere
in the file.

clear
cat << EOF

Telnet has been disabled... Use ssh
with the following procedure..
bla..bla..bla...

Good bye..

EOF

sleep 5
exit

This will display the message, waits for 5 secs and then disconnects the telnet session.

Do the same thing on /etc/csh.login for csh shell users.

-Sri

Re: telnetd disablement period

Uday_S_Ankolekar — Thu, 10 Jan 2002 20:02:44 GMT

Hi,
You can use either file (/etc/issue or /etc/motd).

Use the vi editor to open /etc/inetd.conf and change the lines below:

ftp stream tcp nowait root /usr/lbin/ftpd
telnet stream tcp nowait root /usr/lbin/telnetd telnetd -b /etc/motd

-USA..

Re: telnetd disablement period

Sanjay_6 — Thu, 10 Jan 2002 20:02:52 GMT

Hi Paul,

I'm not so sure that you can configure something like that. you can configure telnet banner that will be displayed whenever a user does a telnet to the system. Here is the link on how to set the relnet banner,

http://us-support.external.hp.com/cki/bin/doc.pl/sid=2af75ab812ba0e21a0/screen=ckiDisplayDocument?docId=200000049635465

Now if you disable telnet login. this banner will not be displayed and so it will not solve your problem. you can use the /etc/inetd.sec to disable the telnet login. You can disable the telnet login from a single ip or multiple ip or from all ip's. Here is a link on how to set the same,

http://us-support.external.hp.com/cki/bin/doc.pl/sid=d3100b3b145b392a25/screen=ckiDisplayDocument?docId=200000047669302

I can't say that this will display the banner if a telnet session is started from the ip address in the denied list. You'll have to give it a try.

Hope this helps.

Regds

Re: telnetd disablement period

Paula J Frazer-Campbell — Thu, 10 Jan 2002 20:06:05 GMT

Hi Paul

Set up a no-telnet dir.
create a .profile with a message.
Now using etc
sleep x seconds
exit

Set this as the default login dir in passwd.

Quick and clean.

Paula

Re: telnetd disablement period

Paul Mezzanini — Thu, 10 Jan 2002 20:17:22 GMT

Man you guys reply fast... Let me see if I can knock some replies off before you post more :)

Wilfred and Uday:

That isn't quite what I had in mind. I want to display the message then disconnect the user. That would display the message then let them continue on with the session. This may need to be the route I've got to take anyway, but I would rather not.

Sridhar:

Wouldn't that also disable ssh connects and perhaps even console logins? I can never remember which logins call which files.

Paula:

I'm not really sure I know what you mean. Are you saying I should change everyone's homedir to a no-telnet one?

-paul

Re: telnetd disablement period

Paula J Frazer-Campbell — Thu, 10 Jan 2002 20:25:08 GMT

Hi Paul

Yes on the home dirs if that is suitable.

The other option is the banner file or motd.

If you wish to keep home dirs then their own .profile could look for connection type by chasing down their pid and if telnet involved then warn then and force an exit.

Paula

Re: telnetd disablement period

Paul Mezzanini — Thu, 10 Jan 2002 21:03:54 GMT

Paula:

I can't change the homedirs. Many people have a hard enough time with `cd` :)

I know that if I use the banner option people just won't read it, and then when I finally totally disable it my phone won't stop ringing.

Well, I guess I'll just make sure I'm out of range that day :)

-paul

Re: telnetd disablement period

Jeff Machols — Thu, 10 Jan 2002 21:11:19 GMT

you could do something like this:

in /etc/profile

TEL_COUNT=`ps | grep telnetd` # this will show what our patent of the shell is
trap 1 2 3 15
if [ $TEL_COUNT -eq 1 ]
then
echo "Need to use SSH"
sleep 5
fi

Re: telnetd disablement period

Jeff Machols — Thu, 10 Jan 2002 21:11:26 GMT

Re: telnetd disablement period

Paul Mezzanini — Thu, 10 Jan 2002 21:13:48 GMT

Jeff:

Lemme fire up my c240 test box and see if that works.

It still isn't as graceful as I would hope, but its pretty damn close :)

-paul

Re: telnetd disablement period

Jeff Machols — Thu, 10 Jan 2002 21:15:48 GMT

oops, I had a typo

should be

COUNT=`ps | grep telnetd | wc -l`

I agree, it's not graceful, theres got to be a better way but I can't get one to work

Re: telnetd disablement period

Paul Mezzanini — Thu, 10 Jan 2002 21:26:15 GMT

Jeff:

Just gotta do some tweaking of the message and spaces and then its all set.

I don't even think I will bother with the banner file... I will make what profile spewes out be descriptive enough.

Thanks
-paul

Re: telnetd disablement period

Sridhar Bhaskarla — Thu, 10 Jan 2002 21:30:16 GMT

How dump I was??..

OK. You can modify the script as basically ssh session won't make use of telnetd.

TTY=`tty|sed 's/\/dev\///'`
ps -ef|grep telnetd |grep $TTY |grep -v grep
if [ $? = 0 ]
then clear
cat << EOF
Access is restricted to nly telnet...
EOF
sleep 5
read
exit
fi
See if this helps.

-Sri