TELNET ( TELecommunication NETwork ) is a network protocol used on the Internet or local area network (LAN) connections. It was developed in late 60s with RFC 15. Telnet is pretty old for login into remote system and it has serious security problem. Most admins will recommend using Open SSH (secure shell) for all remote activities. But you may find users who are still demanding telnet over ssh as they are comfortable with Telnet. Some users got scripts written in 90s and they don’t want to change it. So what do you do when users demands telnet?
The problem with telnet
Telnet sends everything in clear text format including username and password. You can use tcpdump or snoop to see all information.
You can install Kerberos enabled telnetd. Discussion related to Kerberos and secure telnet is beyond the scope of this blog post but I do recommend Kerberos Infrastructure HOWTO for further information. Following packages under Debian will install secure telnet including Kerberos server:
# apt-get install krb5-telnetd krb5-clients
CentOS / RHEL / Red Hat / Fedora Linux user need to install package called krb5-workstation:
# yum install krb5-workstation
You need to configure Kerberos server and Kerberos enabled telnet / ftp. Please see the man pages for further information.
Bottom line: migrate users to ssh
I highly recommend migrating your users to SSH and discarding telnet, ftp and all r* services. First, you need to educate users about telnet and insecure protocols. Once user(s) made aware of the problem, help them to migrate to SSH:
Sysadmin because even developers need heroes!!!
- Disable telnet and force to use them ssh based tools
- Explain basic ssh syntax
- Explains password less login
- Explain how to use ssh in scripts
- Explain how to use sftp instead of ftp client
- Explain how to use scp instead of rcp client
OpenSSH / OpenBSD Secure Shell – is default secure shell for encrypted communication sessions over a computer network using the ssh protocol. Usually, you login using ssh and makes changes to its configuration file /etc/ssh/sshd_conf over a remote session. If there is an error in configuration, server may not start (i.e. no remote login allowed). This will result into a disaster; if you didn’t have access to remote console. But how do you find out a syntax error for sshd_config file?
OpenSSH Test Mode
OpenSSH has test mode option. Use the -t option to check the validity of the configuration file and sanity of the keys. This is useful for updating sshd reliably as configuration options may change.After making changes to config file, type the following command run syntax check on configuration file, enter:
$ sudo /usr/sbin/sshd -t
# sshd -t
/etc/ssh/sshd_config: line 26: Bad configuration option: PermitRootLogins
/etc/ssh/sshd_config: terminating, 1 bad configuration options
If there is error, it will show on screen. Otherwise it will not display any message:
$ sudo /usr/sbin/sshd -t
$ echo $?
If there is error on line # 26, edit config file using vi text editor, enter:
$ sudo vi +26 /etc/ssh/sshd_config
Please note that test mode can be done while running the OpenSSH daemon (sshd). If there is no error, simply type a restart sshd command:
# service sshd restart
# /etc/init.d/ssh restart
This article examined a simple, but powerful, method to run commands on a remote machine using combination of ssh and a shell script:
Use Secure Shell (SSH) to run commands on remote UNIX systems and, with some simple scripts, put together a system that enables you to manage many systems simultaneously from one machine without having to log in directly to the machines themselves. Also examine the basics of a distributed management system and some scripts and solutions using the technique.
I have already covered how to execute commands on multiple Linux or UNIX servers via a shell script. The disadvantage of shell script is commands do not run in parallel on all servers. However, several tools exist to automate this procedure in parallel. With the help of tool called tentakel (highly recommended) , you run distributed command execution. Also, you can execute commands on multiple Linux or UNIX servers using special tools such as multixterm from expect project.
=> Distributed administration using SSH
Marc Abramowitz shows us how to create VPN with tsocks and VTun tools
FTA “…Virtual private networks (VPN) let remote users connect back to corporate networks over encrypted links. Many VPNs are built with proprietary technology and can be tricky and expensive to set up. For a small business or an individual who needs a simple way to securely access remote networks, setting up a true VPN might be prohibitively expensive in terms of both money and time. Let’s look at two simple approaches that bring you transparency without the cost. All you need is Secure Shell (SSH) access to a server on the network you’re trying to access…”
Read more: Creating virtual private networks with tsocks and VTun