3

I'm playing around with the idea of creating a MUD, but one of the down sides is that they use "telnet" which is insecure. I'd like to retain the ability for "anonymous" users to access a specific account, and the only they that account does is telnet to a local port.

So in other words, what I want is to be able to tell anyone/everyone that they can run:

ssh anonymous@example.com to "connect" to my mud securely.

The "anonymous" account would execute a "telnet localhost:34843", or some similar command. Ideally, the anonymous account has absolutely no other access. No port forwarding, no files (other than those necessary for telnet to run), etc...

If it matters, I'm probably going to use some flavor of ubuntu in a cloud hosting service.

Daniel
  • 147

2 Answers2

5

You can set up OpenSSH so that a particular account can only run one command (the command sent by the client is ignored). In /etc/ssh/sshd_config, add lines like:

Match User anonymous
  ForceCommand /usr/bin/telnet localhost 34843
  PasswordAuthentication yes
  PermitEmptyPasswords yes
  AllowAgentForwarding no
  AllowTcpForwarding no
  PermitTTY yes
  PermitTunnel no
  X11Forwarding no

You should arrange for anonymous's home directory to be owned by root and only modifiable by root, and ditto for ~anonymous/.ssh and the files in there.

There's at least one more thing you need to do, which is to disable shell escapes. At least some telnet implementations allow the user to escape to a shell by pressing Ctrl+] !. With the Linux netkit implementation, I think telnet -e '' disables the command mode and thus makes it impossible to reach a shell from telnet. Setting the environment SHELL to /bin/false would be a useful precaution as well.

Celada
  • 44,132
Gilles 'SO- stop being evil'
  • 829,060
0

Is possible to make a telnet secure using those solutions

A)A ssh tunnel,is absurd(why use tunnel when you can use ssh?) but works

ssh -L 23:localhost:23 -N -f your host

Of course close the port 23 with firewall and let open the 22 or ssh personal port to forbid direct telnet access

B)A tls or ssl(i prefer TLS) stunnel,is very easy to do,on server you use

; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options                                                         *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
; PID is created inside the chroot jail
pid = /stunnel.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = //etc/ssl/certs/yourserver.crt
key = //etc/ssl/private/yourserver.key
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /
; It's often easier to use CAfile
CAfile = /yourserver.ca
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/etc/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************
; Example SSL server mode services
[telnet]
accept  = 0.0.0.0:5939
connect = 23

on client

; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
client=yes

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
;chroot = /var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
;setuid = nobody
;setgid = nogroup

; PID is created inside the chroot jail
;pid = /stunnel.pid

; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Certificate/key is needed in server mode and optional in client mode
cert = /yourclient.crt
key  = /yourclient.key

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
CAfile = /yourca.crt
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/etc/stunnel/crls.pem

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

; Example SSL server mode services

[telnet]
accept=localhost:23
connect=yourstunnelserver:5939

Of course use those files only for example and modify for your configuration You will access to remote server 

telnet localhost 23

using a secure tls tunnel

The third method is to use telnet with keberos,is nice because no passwd asked and permit a SSO,but require weak ciphers so is not 100% safe

on inetd.conf edit and add or modify

telnet  stream  tcp     nowait  root    /usr/kerberos/sbin/telnetd

on client do

telnet -x server

If connect without asking pass is working,if receive ask for password or message error,telnet is clear

elbarna
  • 12,695
  • This isn't quite the answer I was looking for. It was more about setting up an "anonymous" account that can be ssh'ed into, and only does exactly one thing. Telling people they have to do so much work to connect (as configuring ssh, and running a tunnel) isn't going to work for me. – Daniel May 22 '15 at 02:10
  • Ops sorry,probably i understand bad – elbarna May 22 '15 at 02:39