HPE Community
Operating System - HP-UX
1846701 Members
3268 Online
110256 Solutions
New Discussion

Re: second telnetd?

 
Ben Wilson_4
Advisor

‎11-29-2001 02:11 PM

‎11-29-2001 02:11 PM

second telnetd?

Hi,
I tried in vain to stop my company from opening telnet to our HP 11.0 server from the internet for a single application.
After telneting in, the users login script starts the app, and logs out. I feel confident in the security of the log in scripts, but i only want the user accounts that start the application to be able to telnet from the internet.
Any ideas? I was looking at running a second telnet daemon on a different port, but how do you force an automatic logon (not letting them choose a username to log in as)?
I was looking at the telnetd on linux, and was curious about the -L option, providing a different program than "/bin/login" for authentication. Is this option available on HP-UX?

Thanks,
Ben
0 Kudos
Reply
6 REPLIES 6
G. Vrijhoeven
Honored Contributor

‎11-29-2001 02:18 PM

‎11-29-2001 02:18 PM

Re: second telnetd?

Hi,

second telnetd on other port /etc/inetd.conf copy telnet line and alter the port reload (inetd -c) but think about the next option:

I think you should take a look at sshd, if you want your system available from the internet.

take a look at this url:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0xd4cecf38d6bdd5118ff10090279cd0f9,00.html

Hope this will help.

Gideon
0 Kudos
Reply
Ben Wilson_4
Advisor

‎11-29-2001 02:26 PM

‎11-29-2001 02:26 PM

Re: second telnetd?

I did install ssh, but i can't get anybody to use it. All the users connect with ProComm or Replections Windows telnet applications. I haven't seen an application like them for ssh that allow scriptsing and scheduling.

the real problem i have if trying to force the username and password that is used when connecting to the second "internet" telnetd. once that is done, i have pretty tight logins scripts to take care of the rest.

Thanks,
Ben
0 Kudos
Reply
G. Vrijhoeven
Honored Contributor

‎11-29-2001 02:34 PM

‎11-29-2001 02:34 PM

Re: second telnetd?

Hi,

Ok. How are you planning to alter the tcp/port these applications are using to set up theire telnet connections?

telnet machine_name:32

A login procedure can be automated with a .rhosts file and remsh, but over the internet?!?!?

Is it possible to create a ssh tunnel and let those applications connect throug the tunnel?

Gideon

0 Kudos
Reply
Craig Rants
Honored Contributor

‎11-29-2001 02:40 PM

‎11-29-2001 02:40 PM

Re: second telnetd?

If they are going to play that way I would turn their shell in to a TUI program that lets them execute their scripts.

Instead of /bin/sh in the password file for the user they get /usr/local/script.sh

When they sign in they get the TUI and no shell, they may change their tune after that.

Good Luck,
Keep fighting the good fight,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Bernie Vande Griend
Respected Contributor

‎11-29-2001 02:56 PM

‎11-29-2001 02:56 PM

Re: second telnetd?

I don't think you want to automate the telnet connection from the internet or then it will be too easy for someone to get in who shouldn't be. However, you can use /etc/profile to check the IP the user is coming from and the user ID they are using and stop the login if it doesn't fit your criteria. You should then be able to differentiate between a connection from internally and from the internet. Products like CA's Access Control and Symark's PowerBroker also have nice solutions for situations like this.
Ye who thinks he has a lot to say, probably shouldn't.
0 Kudos
Reply
Ben Wilson_4
Advisor

‎11-30-2001 07:25 AM

‎11-30-2001 07:25 AM

Re: second telnetd?

thanks for the suggestions.

my plan was to run a second telnet daemon on a different port, say 1023, then when a telnet is made to the internet ip on port 23, the firewall would forward it to port 1023 on the internal ip.

then that telnet daemon would auto-login as a user that excutes the app in the .login, then the next line is "logout".

maybe i should forget telnet and write a perl script to listen on the port then run the app?

ideas appreciated,
ben
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.