HPE Community
Operating System - HP-UX
1820886 Members
3695 Online
109628 Solutions
New Discussion юеВ

disable telnet login but keep telnetd active

 
SOLVED
Go to solution
Peter Kielbasiewicz
Frequent Advisor

тАО08-28-2003 01:49 AM

тАО08-28-2003 01:49 AM

disable telnet login but keep telnetd active

Due to security reasons we want to disable telnet logins and use ssh instead.
We do have a process though which uses the telnet -b {fileName} feature to gather some system information abouts our hosts.
The telnet daemon lists the content of {fileName} before the login prompt, so I can query info without actually logging in.
With ssh this does not work properly. Especially when the host key is not already known a user must interactively answer yes/no before the ssh banner file is shown. Also ssh connections to PA-Risc 1 machines is very slow (~8..10sec).
Does anybody know a solution?
0 Kudos
Reply
13 REPLIES 13
Massimo Bianchi
Honored Contributor

тАО08-28-2003 01:59 AM

тАО08-28-2003 01:59 AM

Re: disable telnet login but keep telnetd active

Hi,
i do not clearly understand your problem.

Do you want to speed up ssh connections or to disable telnet logins?

or do you want a simple and secure way to export information from your server, without logging in ?

Massimo
0 Kudos
Reply
twang
Honored Contributor

тАО08-28-2003 02:00 AM

тАО08-28-2003 02:00 AM

Re: disable telnet login but keep telnetd active

I would suggest that you use 'remsh' to execute command on remote hosts to gather system information.
In our shop, I disable telnet service on all our product servers too.
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

тАО08-28-2003 02:01 AM

тАО08-28-2003 02:01 AM

Re: disable telnet login but keep telnetd active

Im not sure I understand your telnet question properly.

But for ssh being slow you need to install the kernel random driver, then ssh is a lot quicker;

KRNG11i B.11.11.06 HP-UX 11.11 Strong Random Number Generator

You can download from www.software.hp.com.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Peter Kielbasiewicz
Frequent Advisor

тАО08-28-2003 03:26 AM

тАО08-28-2003 03:26 AM

Re: disable telnet login but keep telnetd active

What I am really looking for is a process which can be connected through a certain port and which does nothing else but respond with a preconfigured answer. If this process can also be run on windows and linux boxes it will be just great.
The purpose is to ping our network devices once a day and ask for some status information like Opsys, HW and contact.

Our machines are still on UX10.20 and we will stay there with an almost frozen environment.
From earlier forum discussions I understand that the slowness of ssh with UX10.20 on PA-Risc1 is a fact that can not be solved.
My problem is not so much ssh though but an easy and quick way to gather information from hosts.
We do not really need telnet for login purposes. Here we can use ssh although it is slow.
But for automated info gathering ssh is just too slow.
I do not fully understand the remsh answer.
We currently use telnet -b /etc/issue to get information from a host without even needing a login.
The drawback with telnet is that we can not use it solely for info gathering purposes. Once the daemon is up and running users can use it to log in (and I am sure they will, because ssh is so slow).
If I enable the remsh daemon, users could also use it to login to remote hosts and avoid the ssh as well. So I see no real improvement here.



0 Kudos
Reply
Massimo Bianchi
Honored Contributor

тАО08-28-2003 03:34 AM

тАО08-28-2003 03:34 AM

Re: disable telnet login but keep telnetd active

What about using tftp for downloading automatically the requested information, put on a file ?

Or creating a service, by yourself, that echoes to stdout the information and exit ?

I think that it should not be difficult to create such a thing, maybe with a simple script or perl program.

Massimo
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО08-28-2003 03:38 AM

тАО08-28-2003 03:38 AM

Re: disable telnet login but keep telnetd active

Secure Shell 3.50 is a major speed improvement over 3.1. On my 11.11 platforms in combination with the strong randome number genreator, connection lag is now below one second.

If you want to fully disable telnet go to /etc/ientd.conf and comment out the telnet line.

inetd -c

Any current connections will stay open until termination. This is normal behavior.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО08-28-2003 03:39 AM

тАО08-28-2003 03:39 AM

Re: disable telnet login but keep telnetd active

Secure Shell 3.50
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

Someone keep smacking me so I remember to post in the darned link.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Massimo Bianchi
Honored Contributor

тАО08-28-2003 04:04 AM

тАО08-28-2003 04:04 AM

Solution

Re: disable telnet login but keep telnetd active

Hi, i tested my idea and IT WORKS !!!

i did the following:

in /etc/services

massimo 5000/tcp # test massimo


in /etc/inetd.conf
massimo stream tcp nowait root /tmp/massimoput massimoput


cat /tmp/massimoput
#!/sbin/sh
cat /etc/issue

ll /tmp/massimoput
-rwxr-x--- 1 root sys 26 Aug 28 13:59 /tmp/massimoput


then:

inetd -c

after:

XXXXXXX:/tmp>telnet XXXXXXX 5000
Trying...
Connected to localhost.
Escape character is '^]'.
HP-UX XXXXXXX B.11.00 U 9000/879 219035322 unlimited-user license
Connection closed by foreign host.



You put in your file whatever you want.

It has been funny to invent this :)

Massimo
Reply
Claudio_17
Frequent Advisor

тАО08-28-2003 04:10 AM

тАО08-28-2003 04:10 AM

Re: disable telnet login but keep telnetd active

Good ; anyway I see potential security issue here

Bye
0 Kudos
Reply
W.C. Epperson
Trusted Contributor

тАО08-28-2003 04:43 AM

тАО08-28-2003 04:43 AM

Re: disable telnet login but keep telnetd active

I think Peter is saying that his remote telnet -b process just wants to capture the login banner. Switching to port 5000 "hides" the telnet service, but does not secure it. But you could used inetd.sec to allow telnet only from the desired ip address.
"I have great faith in fools; self-confidence, my friends call it." --Poe
0 Kudos
Reply
Peter Kielbasiewicz
Frequent Advisor

тАО08-28-2003 04:45 AM

тАО08-28-2003 04:45 AM

Re: disable telnet login but keep telnetd active

SSH: I have compiled ssh 3.6 for HPUX 10.20 and 11.00 according to the description from www.atomicgears.com/papers/osshpux.html
and I even built a complete swinstall package.


Massimo: I tested your idea and it solves my problem. Thanks.
0 Kudos
Reply
Massimo Bianchi
Honored Contributor

тАО08-28-2003 04:47 AM

тАО08-28-2003 04:47 AM

Re: disable telnet login but keep telnetd active

I'm not hiding the telnetd service, i'm creating a new service that only answer his request!
telnetd can be disabled without problem, what is needed is an open port.

Massimo


0 Kudos
Reply
Peter Kielbasiewicz
Frequent Advisor

тАО08-28-2003 04:49 AM

тАО08-28-2003 04:49 AM

Re: disable telnet login but keep telnetd active

I tried massimos idea with telnetd daemon disabled of course.
You just need the telnet client to issue a connection to port XXXX.
There is no telnet daemon necessary on the target host and thus there is no login possible either.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.