[SUMMARY] Telnet without password from Gerhard Nolte on 1996-03-18 (tru64-unix-managers)

From: Gerhard Nolte <gnolte_at_gwdg.de>
Date: Mon, 18 Mar 1996 10:08:15 +0100

Hi managers,

My original question was

> I'd like to establish a telnet connection to a special account on a
> remote host. It's necessary to hide the password of the remote account
> to prevent our users from changing the remote account's password.

As mentioned in the followup it is not possible to create a ~/.rhosts
file on the remote host, therefore rlogin is no solution.

The majority suggests to use expect and I'll follow that path.

Thank's for the numerous ideas from

"S.Barbaresi" <s.l.barbaresi_at_bangor.ac.uk>
Anthony D'Atri <aad_at_nwnet.net>
Huw Davies <cchd_at_lucifer.latrobe.edu.au>
"S. Grant" <grant_at_sunshine.psc.edu>
Albert De Knuydt <Bert.Deknuydt_at_esat.kuleuven.ac.be>
Doug McPherson <dougm_at_delphi.com>
Hellebo Knut <Knut.Hellebo_at_nho.hydro.com>
Niels Kokholm <kokholm_at_math.ku.dk>
Jim Belonis <belonis_at_dirac.phys.washington.edu>
Mark Perlman <parsec!perlmmr_at_uucp-1.csn.net>

Ideas in detail:
------------------------------------------------------------------
From: Anthony D'Atri <aad_at_nwnet.net>
Use ssh instead.
------------------------------------------------------------------
From: "S. Grant" <grant_at_sunshine.psc.edu>
Why doesn't everyone have their own account?

Maybe you could create a clientside wrapper program that would call
telnet and supply the password. If it were compiled, the password would
not be easily determined from the binary. You could also look at
`expect', it is great for logging in automatically.

-Shirl
------------------------------------------------------------------
From: Albert De Knuydt <Bert.Deknuydt_at_esat.kuleuven.ac.be>
Hello,

Maybe TUsh (Telnet User shell) is a solution ... It is a kind of wrapper
telnet thing. It can check what it receives from the remote site in a
local file, and then produce the appropriate response. You could use that
for logging in automatically. You can switch off echoing at the
appropriate time. You can put this responses into a special startup file,
like this:

----
# Logging in
trigger "Please enter your name:" AlMumin
trigger "Please enter your password:" AlMamun%n check mail%n earmuffs on
# Automatic logout
trigger "*15 seconds to go to reboot*"   tf See you soon !
trigger "*5 seconds to go to reboot*"    quit
----
I only have an ancient copy, maybe you should archie for
more recent stuff.  I include the part of the README file here... It was
used here for, don't shoot me :) , logging in automatically into MUD's
and creating virtual players.
--README--
/************************************************************************
 *      TUsh - The Telnet User's Shell          Simon Marsh 1992        *
 ************************************************************************/
TUsh is a front end for telnet protocol connections. Features on offer
are (among many more) powerful macro processing, virtual screen
display, site list and multiple connections.
[...]
-------------- eMail Bert.Deknuydt_at_esat.kuleuven.ac.be ---------------
B.DeKnuydt, MI2-KULEUVEN                            Tel. +32-16-321041
K. Mercierlaan 94                /|    | || 
B-3001 Heverlee Leuven	      _,_)|  4_|_|| 
FLANDERS, BELGIUM	     / .                    Fax. +32-16-321986
-------------- http://www.esat.kuleuven.ac.be/~deknuydt --------------
     Surely Allah is with the patient. Qur'An, Sura 2, Verse 153
------------------------------------------------------------------
From: Doug McPherson <dougm_at_delphi.com>
You could Tcl/Expect to form a script that logs the user in.   You'd have to
have the password in the script, so this may be a security problem for you.
You may be able to set protections and play some games in the expect script
to keep the average users out.  Definitely NOT hacker-proof, if you're
worried about malicious users, though. 
We use expect for automating tasks that require user interaction with
applications that *insist* on dealing with real people typing at ttys (i.e.
like telnet that can't just accept input from stdin, etc).
/doug
------------------------------------------------------------------
From: Hellebo Knut <Knut.Hellebo_at_nho.hydro.com>
Regards,
If you're thinking of the 'passwd' command you can write a wrapper script
denying access to the 'passwd' command from the special account, i.e
/usr/bin/passwd = shellscript
/usr/bin/passwd.exec = original passwd command to be execed from the script.
------------------------------------------------------------------
From: Niels Kokholm <kokholm_at_math.ku.dk>
I have done something similar using "expect" to automate login to some
library f=B4databases. In this case, the password is written in the expec=
t
script. In order that the password should be unreadable for the users, th=
e
expect script is called from a C wrapper program, which is setgid to some
special group.  The expect script itself is readable by the special group=
,
but not general users. The following example shows the permissions we use=
.
(I guess the x for others on expect-script is superfluous).=20
-rwxr-sr-x   1 root     hostdbs    24336 Jun 28  1995 c-wrapper
-rwxr-x--x   1 root     hostdbs     2418 Sep  6  1995 expect-script
I have experienced that expect in case of errors tend to dump the part of
the script (from the place of the error and downwards) to the terminal an=
d
exit. Therefore, I assign the passwords to variables at the top of the
script and use the variables further down.=20
Of course, the script should use full paths to spawned programs, and make=
=20
sure that spawned programs will not allow a shell escape.
------------------------------------------------------------------
From: Jim Belonis <belonis_at_dirac.phys.washington.edu>
You can probably telnet without exposing the password
by writing an executable but not readable script.
You would probably have to use an suid wrapper executable program
that sets the uid to the owner of the script, and runs the script.
The script would be protected so readable only by the owner.
This would not likely stop sophisticated users or users who have root access.
------------------------------------------------------------------
From: Mark Perlman <parsec!perlmmr_at_uucp-1.csn.net>
Try using the "Rsh" (restricted shell).  You can get more detailed info from
the man page for "sh" and reading the section on "Restricted Shell".
------------------------------------------------------------------
Gerhard
-- 
Gerhard Nolte
Email: gnolte_at_gwdg.de    Voice: +49-551-709-2716    Fax: +49-551-709-2704
Max-Planck-Institut fuer Stroemungsforschung, 37073 Goettingen, Germany

Received on Mon Mar 18 1996 - 11:09:12 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:46 NZDT