[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Shell access: Disabling Telnet

Subject: RE: [cobalt-users] Shell access: Disabling Telnet
From: "Colin J. Raven" <cjraven@xxxxxxxxxxx>
Date: Thu Jun 7 07:23:01 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> Now I am fairly certain I know the answers to most of the
> following questions, but am hoping to get confirmaton from
> those of you with more knowledge...
<laugh> well, I'd scarcely say I have "more knowledge".

I think you have a really good handle on almost everything but here goes
anyway.

> 1) The option to enable Telnet for a user is really the
> option to enable shell access, whether it be via telnet or ssh.

Ummm...yes and also no.
If telnet is disabled at startup by preventing the daemon from starting
*and* ssh doesn't exist, shell *access* is a moot point. If the telnet
daemon is disabled and sshd exists, and is invoked at startup, then
"enabling telnet" does in fact allow shell access under those
conditions.

> 2) Hence commenting out the telnet line in inetd.conf will
> not affect who has shell access, merely that they will have
> to use ssh to access the box.  (There is only one other
> person beside me with with shell access anyway, so a bit of a
> non-issue.  We both use and have used ssh for a while.)
> Hence the Cobalt siteadmin GUI telnet setting for a user IS
> still relevant.
Circuitously....yes.

> 3) Having telnet open on port 22 is a danger in and of
> itself; not just the use of it (i.e. the availability of the
> port and not just the unencrypted communications).
> i.e.: would having telnet, but not having anyone use it pose
> a significantly higher risk than disabling it?
> I know it is an extra port for a port scanner to hit, how
> relevant is that?

Yes and yes. It's an open port, therefore a highway for the script
kiddies to drive in on.
If you and your other user you mention above use ssh, and no others use
telnet..hell disable the thing for good. Not just comment it out in
inetd, but also kill the startup script...I don't remember which darned
rc directory it lives in, it's been so long since I used telnet I've
forgotten...anyone???
/etc/rc.d/DUH????

> 4) What if SSH goes 'wonky'?  As mentioned in:
> http://list.cobalt.com/pipermail/cobalt-users/2000-October/022643.html
> this can be a costly issue to reboot then!  Should I not
> rely on SSH and rely on a "no-use" policy for telnet?
I cannot honestly say I ever recall a time when sshd crapped out and
denied me access to a box. This includes one that *is* 6000 miles away,
and has been up...well...see below
[23:50:58 reddingsboot]$uptime
11:50pm up 446 days, 22:48,  2 users,  load average: 0.00, 0.01, 0.00

If sshd broke, I'd actually have to fly there and fix it myself! (Not
that I'd mind, but it would be mighty inconvenient and VERY
expensive)ssh is rugged and not known for going down without reason. I
rely on it, and I believe you should too. It's "trustworthy"

BTW...I don't read that archive message the way you do. I don't think it
says anything about ssh going wonky...but maybe I read it wrongly.

Regards,
-Colin
--
Colin J. Raven

Follow-Ups:
- RE: [cobalt-users] Shell access: Disabling Telnet
  - From: shimi

References:
- [cobalt-users] Shell access: Disabling Telnet
  - From: Tim Bolt

Prev by Date: RE: [cobalt-users] Cube 3 - email problems
Next by Date: RE: [cobalt-users] Raq2 and CGI scriopts
Previous by thread: [cobalt-users] Shell access: Disabling Telnet
Next by thread: RE: [cobalt-users] Shell access: Disabling Telnet

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index