Re: Authentication for telnet.

classic Classic list List threaded Threaded
50 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

Peter Easthope
From: Reco <[hidden email]>
Date: Sat, 28 Sep 2019 19:23:45 +0300
> I have to ask - what are you trying to achieve?

An interactive shell session with minimal overhead. (Or maximal
efficiency.)  The telnet client in the Oberon subsystem is noticeably
faster than competitors.

> ... your request seems to be awfully close to (in)famous A/B
> problem, ...

I might have read about the A/B Problem years ago but don't recall or
understand well enough.

> telnetd(8), "-a" and "-L" parameters.

Just had a look at the parameters (again?) and don't have a clear idea
to set them.  Tips welcome.  

Regards,               ... Peter E.


--
https://en.wikibooks.org/wiki/Medical_Machines
Tel: +1 604 670 0140            Bcc: peter at easthope. ca

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

andy smith-10
Hello,

On Sun, Sep 29, 2019 at 02:36:02PM -0700, [hidden email] wrote:
> From: Reco <[hidden email]>
> > I have to ask - what are you trying to achieve?
>
> An interactive shell session with minimal overhead. (Or maximal
> efficiency.)  The telnet client in the Oberon subsystem is noticeably
> faster than competitors.

Because such a thing is hideously insecure, it has fallen into
disuse and SSH is the name of the game these days, Even if you do
not require the security of SSH, the mere fact that SSH is
ubiquitous means that you may have an easier time using SSH for
this. Have you tried SSH and found it lacking somehow?

Is it a case that the hosts you are dealing with are too
underpowered CPU-wise to cope with SSH's encryption?

I am old enough to remember how we used to remotely manage machines
before SSH was invented: rlogin. You can still install rlogin on
Debian, and by crafting a suitable $HOME/.rhosts file you can
provide passwordless plain text login capability. "man rlogin" and
"man 5 rhosts" should get you going. I still think it is a really
bad idea unless SSH is totally out of the question.

Finally, it is possible to spawn a shell on a particxular port with
socat and then use socat at the other end to connect to it, to
provide an interactive shell session again with no authentication or
encryption. See:

    https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method2usingsocat

> > ... your request seems to be awfully close to (in)famous A/B
> > problem, ...
>
> I might have read about the A/B Problem years ago but don't recall or
> understand well enough.

It's when someone has a problem, and they think a particular method
will solve it, so they ask about that method rather than the problem
itself. They risk missing a much better solution because they
focussed on the particular method they knew of.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

andy smith-10
On Sun, Sep 29, 2019 at 10:51:22PM +0000, Andy Smith wrote:
> On Sun, Sep 29, 2019 at 02:36:02PM -0700, [hidden email] wrote:
> > An interactive shell session with minimal overhead. (Or maximal
> > efficiency.)

> I am old enough to remember how we used to remotely manage machines
> before SSH was invented: rlogin.

Oh, I see now that you were interested in passwordless equivalent of
"telnet localhost".

It is confusing why you would need to do this to localhost as you
could just type "bash" (or dash or zsh or whatever) to get a new
shell. So it would help our understanding if you were to explain
what your use case is for this new interactive shell session.

If you are in some sort of graphical desktop then as you already
say, the usual method is just to open a new terminal emulator.

On the console you could switch to a new virtual console
ctrl+alt+F1, F2, F3 etc. That would have a login prompt though.
Would that solution be good enough if it was automatically logged in
as your user?

If you are just trying to execute things as another use then su or
sudo may be more appropriate. "sudo -u anotheruser -s" gets you an
interactive shell session as anotheruser, and can be configured to
be passwordless if you like.

I mentioned rlogin. With rlogin you can still use it over localhost
to switch between users in a passwordless manner. So too could SSH,
of course. If it's only to the same host though it seems overkill
compared to su or sudo.

So I think we really do still need to know more about your use case.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

Peter Easthope
In reply to this post by Peter Easthope
From: Andy Smith <[hidden email]>
Date: Sun, 29 Sep 2019 22:51:22 +0000
> Is it a case that the hosts you are dealing with ...

From: [hidden email]
Date: Sat, 28 Sep 2019 08:15:07 -0700
> Opening a terminal emulator in default configuration on localhost, ...

Localhost; not hosts.

Also,
    From: [hidden email]
    Date: Mon, 14 Jun 2010 11:03:50 -0700
> ... inside my Shorewalled network.

From: Andy Smith <[hidden email]>
Date: Sun, 29 Sep 2019 22:51:22 +0000
> Is it a case that the hosts you are dealing with are too
> underpowered CPU-wise to cope with SSH's encryption?

    From: [hidden email]
    Date: Mon, 14 Jun 2010 11:03:50 -0700
> ... telnet opens in about 1 s. ... ssh requires about 15 s.  

Any computer built since 1990 should be able to run
a plain old terminal session.

Regards,                 ... P.



--
https://en.wikibooks.org/wiki/Medical_Machines
Tel: +1 604 670 0140            Bcc: peter at easthope. ca

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

Reco
In reply to this post by Peter Easthope
On Sun, Sep 29, 2019 at 02:36:02PM -0700, [hidden email] wrote:
> From: Reco <[hidden email]>
> Date: Sat, 28 Sep 2019 19:23:45 +0300
> > I have to ask - what are you trying to achieve?
>
> An interactive shell session with minimal overhead. (Or maximal
> efficiency.)  The telnet client in the Oberon subsystem is noticeably
> faster than competitors.

apt install xterm.
Or press Ctrl+Alt+F2, no software installation required.


> > ... your request seems to be awfully close to (in)famous A/B
> > problem, ...
>
> I might have read about the A/B Problem years ago but don't recall or
> understand well enough.

You ask how to do an "A" while what you really need is to do "B", but
you don't tell about "B" at all. AKA Perl's "XY" problem - [1].


> > telnetd(8), "-a" and "-L" parameters.
>
> Just had a look at the parameters (again?) and don't have a clear idea
> to set them.  Tips welcome.  

telnetd -a none -L /bin/bash

Reco

[1] https://www.perlmonks.org/?node=XY+Problem

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

Dan Ritter-4
In reply to this post by andy smith-10
Andy Smith wrote:
>
> Is it a case that the hosts you are dealing with are too
> underpowered CPU-wise to cope with SSH's encryption?
>

For what it's worth, I used to routinely SSH in to an appliance running
on an extremely underpowered CPU (by today's standards), a 30 MHz MIPS
core. The initial setup of the session could take an obnoxiously long
time -- 15 to 20 seconds -- but everything was smooth after that.

-dsr-

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

andy smith-10
In reply to this post by Peter Easthope
Hello,

On Sun, Sep 29, 2019 at 07:28:45PM -0700, [hidden email] wrote:
> From: [hidden email]
> Date: Sat, 28 Sep 2019 08:15:07 -0700
> > Opening a terminal emulator in default configuration on localhost, ...
>
> Localhost; not hosts.

It's easy to get confused because your posting style is incredibly
difficult to follow. You break threads and give very little detail.
Help us to help you.

> > ... telnet opens in about 1 s. ... ssh requires about 15 s.  

If your SSH takes 15 seconds to connect to localhost then you have a
configuration issue. As a first guess, check you do not have it
using DNS.

"ssh -v localhost" might give you some hint as to where in the
connection/login process the time is being spent.

But because of your reluctance to tell us exactly what you're trying
to do, we don't even know if ssh is the best tool for the job.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

mick crane
On 2019-09-30 16:46, Andy Smith wrote:

> Hello,
>
> On Sun, Sep 29, 2019 at 07:28:45PM -0700, [hidden email] wrote:
>> From: [hidden email]
>> Date: Sat, 28 Sep 2019 08:15:07 -0700
>> > Opening a terminal emulator in default configuration on localhost, ...
>>
>> Localhost; not hosts.
>
> It's easy to get confused because your posting style is incredibly
> difficult to follow. You break threads and give very little detail.
> Help us to help you.
>
>> > ... telnet opens in about 1 s. ... ssh requires about 15 s.
>
> If your SSH takes 15 seconds to connect to localhost then you have a
> configuration issue. As a first guess, check you do not have it
> using DNS.

If it takes that long and eventually connects likely it's something like
sshd is trying to figure out from its config file how it is supposed to
authenticate, can't, so tries various methods until it finds one that
works.



> "ssh -v localhost" might give you some hint as to where in the
> connection/login process the time is being spent.
>
> But because of your reluctance to tell us exactly what you're trying
> to do, we don't even know if ssh is the best tool for the job.
>
> Cheers,
> Andy

--
Key ID    4BFEBB31

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

Peter Easthope
In reply to this post by Peter Easthope
From: Reco <[hidden email]>
Date: Sat, 28 Sep 2019 19:23:45 +0300
> telnetd(8), "-a" and "-L" parameters.

OK.
peter@joule:~$ grep telnet /etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd -a user
# Restart inetd.

Then the result from telnet to localhost is in this little screenshot.
http://easthope.ca/TelnetScreenshot.jpg 

So in Debian 10 the manual for telnetd mentions -a but the screenshot
suggests it is deprecated.

The -L parameter might work; if I can find a suitable null procedure.  Eg.
grep telnet /etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd -L /bin/null

This null is ficticious of course.  Concrete ideas welcome.

Thanks,                       ... P.

--
https://en.wikibooks.org/wiki/Medical_Machines
Tel: +1 604 670 0140            Bcc: peter at easthope. ca

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

Reco
On Mon, Sep 30, 2019 at 09:36:51PM -0700, [hidden email] wrote:
> From: Reco <[hidden email]>
> Date: Sat, 28 Sep 2019 19:23:45 +0300
> > telnetd(8), "-a" and "-L" parameters.
>
> OK.
> peter@joule:~$ grep telnet /etc/inetd.conf
> telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd -a user
> # Restart inetd.

I fail to see how that's "OK". Where's "-L" (OK, it's "-E")? Why the
in.telnetd, not the conventional telnetd?

Try it:

1) apt install inetutils-inetd openbsd-inetd

2) echo 'telnet  stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/telnetd -a none -E /bin/bash' > /etc/inetd.conf

3) service openbsd-inetd restart

4) telnet localhost


> Then the result from telnet to localhost is in this little screenshot.
> http://easthope.ca/TelnetScreenshot.jpg 

Please copy text to the mail next time.

Reco

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

Greg Wooledge
On Tue, Oct 01, 2019 at 09:48:09AM +0300, Reco wrote:
> On Mon, Sep 30, 2019 at 09:36:51PM -0700, [hidden email] wrote:
> > peter@joule:~$ grep telnet /etc/inetd.conf
> > telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd -a user
> > # Restart inetd.

Why in the hell is anyone running telnetd in 2019?

What is the PURPOSE of this idiocy?  To recreate that 1992 feeling?  For
nostalgia?

Is the machine at least network-less?  Because introducing a security
hole of this magnitude on an Internetworked machine would be unforgiveable.

> I fail to see how that's "OK".

Ditto!

> > Then the result from telnet to localhost is in this little screenshot.
> > http://easthope.ca/TelnetScreenshot.jpg 
>
> Please copy text to the mail next time.

Ditto!  Or maybe, because this machine isn't networked, he had to take
a photograph.  No doubt using actual film, and then developing it, and
then scanning it in on a flatbed scanner.  You know, because he lives
in 1992.

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

tomas@tuxteam.de
On Tue, Oct 01, 2019 at 08:52:48AM -0400, Greg Wooledge wrote:

[...]

> Why in the hell is anyone running telnetd in 2019?
>
> What is the PURPOSE of this idiocy?  To recreate that 1992 feeling?  For
> nostalgia?

Now try in a more polite and friendly way. Then you'd have a chance
of achieving something useful (instead of unleashing yet another
useless BOFH [1] pissing contest).

Thanks for trying :)

[1] https://en.wikipedia.org/wiki/BOFH

-- t

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

David-2
On Tue, 1 Oct 2019 at 22:57, <[hidden email]> wrote:
> On Tue, Oct 01, 2019 at 08:52:48AM -0400, Greg Wooledge wrote:

> > Why in the hell [...]

> Now try in a more polite and friendly way. [...]

> Thanks for trying :)

I agree that polite and friendly is the goal.

I see that a polite way was tried already by several people.

When people ask for help, but then avoid being helped, it's dubious
behaviour. In forum like this, such situations occur from time to
time.

Sometimes a means of self-protection is required, especially for
people who expend effort help to others without reward.

There will always be people who don't communicate well, or those who
will take what suits them, perhaps repeatedly, but will never give
back anything, except perhaps negativity.

That's to be expected. But the worst effect of community-parasites
(trolls, help vampires, etc) is when they trigger conflict amongst the
active, contributing, valuable members of the communities that they
feed off.

Let's have sufficient awareness to avoid that here. I don't like to
see bickering or denigration of anyone here, but especially regular
contributors with expertise.

The people who do give back.

And especially when questions are not even about Debian-project
software.

I've written a few shitty messages to this list too, when people don't
meet my expectations of behaviour. But usually when I'm finished,
I press "delete" instead of "send", and then find something fun to
do instead :)

To everyone who contributes here ... thank you for your work!

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

Brad Rogers
On Wed, 2 Oct 2019 00:54:19 +1000
David <[hidden email]> wrote:

Hello David,

>I've written a few shitty messages to this list too, when people don't
>meet my expectations of behaviour. But usually when I'm finished,
>I press "delete" instead of "send", and then find something fun to

Been there, done that.  Quite cathartic.

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
I'm surfing on a wave of nostalgia for an age yet to come
Nostalgia - Buzzcocks

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

tomas@tuxteam.de
In reply to this post by David-2
On Wed, Oct 02, 2019 at 12:54:19AM +1000, David wrote:

> On Tue, 1 Oct 2019 at 22:57, <[hidden email]> wrote:
> > On Tue, Oct 01, 2019 at 08:52:48AM -0400, Greg Wooledge wrote:
>
> > > Why in the hell [...]
>
> > Now try in a more polite and friendly way. [...]
>
> > Thanks for trying :)
>
> I agree that polite and friendly is the goal.
>
> I see that a polite way was tried already by several people.
>
> When people ask for help, but then avoid being helped, it's dubious
> behaviour. In forum like this, such situations occur from time to
> time.
Yes, it's sometimes difficult, I know. And especially Greg is known
for generally helpful and very knowledgeable posts here.

> I've written a few shitty messages to this list too [...]

Who hasn't? I'm sure I've my score of them, publically documented.
I'm glad if someone stops me, in those cases.

I hope mine wasn't too harsh, though.

Cheers
-- t

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

David-2
On Wed, 2 Oct 2019 at 01:16, <[hidden email]> wrote:
> On Wed, Oct 02, 2019 at 12:54:19AM +1000, David wrote:

> > I've written a few shitty messages to this list too [...]

I'm sorry, the word "too" should not appear in my sentence
above, I did not notice that it carries implications that I did
not intend, please ignore it.

I certainly do not wish to describe any messages written by
anyone as "shitty". That meaning was unintended.

> I hope mine wasn't too harsh, though.

Not at all tomas.

I was extrapolating and making a broad statement about what we
do here. I was certainly not calling anyone into line, I am not
qualified to do so.

You are Mr "have a nice day" after all :)

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

tomas@tuxteam.de
On Wed, Oct 02, 2019 at 01:29:01AM +1000, David wrote:

> On Wed, 2 Oct 2019 at 01:16, <[hidden email]> wrote:
> > On Wed, Oct 02, 2019 at 12:54:19AM +1000, David wrote:
>
> > > I've written a few shitty messages to this list too [...]
>
> I'm sorry, the word "too" should not appear in my sentence
> above, I did not notice that it carries implications that I did
> not intend, please ignore it.
>
> I certainly do not wish to describe any messages written by
> anyone as "shitty". That meaning was unintended.
No problem, you'll find enough to back up your claim. Pick a couple
of mine ;-D

> > I hope mine wasn't too harsh, though.
>
> Not at all tomas.
>
> I was extrapolating and making a broad statement about what we
> do here. I was certainly not calling anyone into line, I am not
> qualified to do so.
>
> You are Mr "have a nice day" after all :)

No, that is Thomas (our names are pretty similar, but he is
far less grumpy than me and besides he has quite a bit of
free software out there to show :)

Cheers
-- t

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

David-2
On Wed, 2 Oct 2019 at 01:49, <[hidden email]> wrote:
> On Wed, Oct 02, 2019 at 01:29:01AM +1000, David wrote:

> > You are Mr "have a nice day" after all :)

> No, that is Thomas (our names are pretty similar, but he is
> far less grumpy than me and besides he has quite a bit of
> free software out there to show :)

Oh dear, I'm sorry again, this time for mixing you up with Thomas!

I'm embarassed about that. I can be a bit hopeless with details
sometimes, my recall memory is unreliable. But to the best of
my recall you are both extremely polite people ;p

Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

tomas@tuxteam.de
On Wed, Oct 02, 2019 at 01:57:34AM +1000, David wrote:

> On Wed, 2 Oct 2019 at 01:49, <[hidden email]> wrote:
> > On Wed, Oct 02, 2019 at 01:29:01AM +1000, David wrote:
>
> > > You are Mr "have a nice day" after all :)
>
> > No, that is Thomas (our names are pretty similar, but he is
> > far less grumpy than me and besides he has quite a bit of
> > free software out there to show :)
>
> Oh dear, I'm sorry again, this time for mixing you up with Thomas!
I can't know how Thomas feels about it. Myself, I feel honoured :-)

No worries, really.

Cheers
-- t

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Authentication for telnet.

Thomas Schmitt
Hi,

David wrote:
> > Oh dear, I'm sorry again, this time for mixing you up with Thomas!

[hidden email] wrote:
> I can't know how Thomas feels about it.

I regularly run whoami to avoid any local confusion.


Have a nice day :)

Thomas

123