HPE Community
Operating System - HP-UX
1833451 Members
2878 Online
110052 Solutions
New Discussion

ways to login if telnet is disabled.

 
ashish nanjiani
Frequent Advisor

‎04-30-2002 06:03 AM

‎04-30-2002 06:03 AM

ways to login if telnet is disabled.

We are planning on moving to ssh enviornment and part of the security deal is to diable the telnet and r commands on the system. Though this is good from security point of view but it really concerns me as a sysadmin. What if the box hangs and does not allow to ssh (ssh being on different layer of protocol).Since telnet is also disabled is there any way to get into the box?.I know i can get into the console but i am searching for any other way to break into the box in case ssh throws me out. Other concern is if the password of a user expires ssh wont tell the user that his password has expired and wont promt for a new password which the telnet does more effectively.
0 Kudos
Reply
12 REPLIES 12
Mark Greene_1
Honored Contributor

‎04-30-2002 06:09 AM

‎04-30-2002 06:09 AM

Re: ways to login if telnet is disabled.

rlogin, ftp, uucp, and any modems you have attached will all allow access, provided they are configured.

HTH
mark
the future will be a lot like now, only later
0 Kudos
Reply
John Bolene
Honored Contributor

‎04-30-2002 06:10 AM

‎04-30-2002 06:10 AM

Re: ways to login if telnet is disabled.

You can add a secure web console to a serial port and get in that way, but you are seriously limiting ways to get in.

You can also write your own port daemon terminal program to let in communications, but that can be quite a bit of programming.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
0 Kudos
Reply
John Palmer
Honored Contributor

‎04-30-2002 06:17 AM

‎04-30-2002 06:17 AM

Re: ways to login if telnet is disabled.

If it's a modern server with a GSP (L,N etc) then you can configure LAN access to the GSP and connect to the console that way.

Regards,
John
0 Kudos
Reply
Craig Rants
Honored Contributor

‎04-30-2002 06:18 AM

‎04-30-2002 06:18 AM

Re: ways to login if telnet is disabled.

Ashish,
I don't know if you can change your policy, but a modification would be to allow telnet from non-root users, and disable telnet for root with the /etc/securetty file. I would still disable the r commands. You can then use ipf/9000 to lock down the traffic allowed to port 23 from trusted ip's. That way if ssh ever fails, you could telnet from your trusted box to your personal account and then su to root.

C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Darrell Allen
Honored Contributor

‎04-30-2002 06:28 AM

‎04-30-2002 06:28 AM

Re: ways to login if telnet is disabled.

Hi,

In my experience (formerly at a site with about 200 UNIX servers running ssh only), ssh has been very stable. You should not worry about it failing. If it does, it would be no different than if telnet or rlogin failed. You'd have to go to the console or another serial terminal.

If you are switching to ssh because it encrypts the session (including loginid and password), don't forget that you need to use ssh from end to end. For example, if you telnet from your workstation to a server then ssh from that server to another, the encrypted link is just between the servers. Everything you type is in clear text between your workstation and the intermediate server.

Sorry, I don't have an answer for the expired password question.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎04-30-2002 06:29 AM

‎04-30-2002 06:29 AM

Re: ways to login if telnet is disabled.

If telnet and all the "r"s commands are disable you're pretty much down to 1 choice ie to get in via console (LAN console, terminal console, serial console, etc). As to deal with password expiration notification, the way I see it .. 2 choices ..
- No password aging but you got a policy that'll force all users to change their password say every 6 months.
- With password aging, you have to have a script that calculates the expiration field and sends out a message to alert the users.
0 Kudos
Reply
ashish nanjiani
Frequent Advisor

‎04-30-2002 06:32 AM

‎04-30-2002 06:32 AM

Re: ways to login if telnet is disabled.

well we are planning on diabling all ftp,rlogin,telnet for all the users by disabling the ports. So i guess only way i can get in is either through the console(gsp) or through the secure server.

thanks for all your replies
0 Kudos
Reply
David Burgess
Esteemed Contributor

‎04-30-2002 06:34 AM

‎04-30-2002 06:34 AM

Re: ways to login if telnet is disabled.

Jump on the console. You could move telnet to another port by editing /etc/services. Not a great move, but would see you out of sticky situation. You could have it to only connect via the support modem.

HTH

Dave.
0 Kudos
Reply
David Burgess
Esteemed Contributor

‎04-30-2002 06:35 AM

‎04-30-2002 06:35 AM

Re: ways to login if telnet is disabled.

Actually you could ftp in. Pull down the config files. Edit them and send them back. Then you've got telnet working when you really need it.

Regards,

Dave.
0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎04-30-2002 06:59 AM

‎04-30-2002 06:59 AM

Re: ways to login if telnet is disabled.

Hello,

Webconsole and lanconsole(L a& N class) are the only way you can go for now.
I would keep telnet access only for super user by configuring inetd.sec file.

-USA...
Good Luck..
0 Kudos
Reply
ashish nanjiani
Frequent Advisor

‎04-30-2002 07:34 AM

‎04-30-2002 07:34 AM

Re: ways to login if telnet is disabled.

Hi uday

is it possible to put the login names under inetd.sec file. I thought you can only put hostname/ip under that file. In that case if i am tryong to login from home with a service provider generated ip address i will get deny to login even as superuser
0 Kudos
Reply
Darrell Allen
Honored Contributor

‎04-30-2002 07:45 AM

‎04-30-2002 07:45 AM

Re: ways to login if telnet is disabled.

You are correct. inetc.sec is only for IP addresses, not userids.

By the way, I'd assume that if you are disabling telnet and the "r" commands for security reasons, you'd also want to disable ftp.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.