如何创建安全委托 telnet 的 SSH 登录

tag-icon tag-icon security
如何创建安全委托 telnet 的 SSH 登录

我正在考虑创建一个 MUD,但缺点之一是它们使用不安全的“telnet”。我想保留“匿名”用户访问特定帐户的能力,并且该帐户唯一能做的就是远程登录到本地端口。

换句话说,我想要的是能够告诉任何人/每个人他们可以运行:

ssh [email protected]安全地“连接”到我的泥浆。

“匿名”帐户将执行“telnet localhost:34843”或一些类似的命令。理想情况下,匿名帐户绝对没有其他访问权限。没有端口转发,没有文件(除了 telnet 运行所需的文件之外)等等...

如果这很重要的话,我可能会在云托管服务中使用某种版本的 ubuntu。

答案1

您可以设置 OpenSSH,使特定帐户只能运行一个命令(客户端发送的命令将被忽略)。在 中/etc/ssh/sshd_config,添加如下行:

Match User anonymous
  ForceCommand /usr/bin/telnet localhost 34843
  PasswordAuthentication yes
  PermitEmptyPasswords yes
  AllowAgentForwarding no
  AllowTcpForwarding no
  PermitTTY yes
  PermitTunnel no
  X11Forwarding no

您应该将anonymous的主目录安排为 root 所有,并且只能由 root 修改,~anonymous/.ssh其中的文件也是如此。

您至少还需要做一件事,那就是禁用 shell 转义。至少某些 telnet 实现允许用户通过按Ctrl+转义到 shell ] !。对于 Linux netkit 实现,我认为telnet -e ''禁用了命令模式,从而无法从 telnet 访问 shell。将环境设置SHELL/bin/false也是一种有用的预防措施。

答案2

使用这些解决方案可以使 telnet 变得安全

A) ssh 隧道,很荒谬(当你可以使用 ssh 时为什么要使用隧道?)但是可以使用

ssh -L 23:localhost:23 -N -f your host

当然用防火墙关闭23端口,让22或ssh个人端口开放,禁止直接telnet访问

B)TLS 或 ssl(我更喜欢 TLS)隧道,很容易做到,在您使用的服务器上

; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options                                                         *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
; PID is created inside the chroot jail
pid = /stunnel.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = //etc/ssl/certs/yourserver.crt
key = //etc/ssl/private/yourserver.key
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /
; It's often easier to use CAfile
CAfile = /yourserver.ca
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/etc/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************
; Example SSL server mode services
[telnet]
accept  = 0.0.0.0:5939
connect = 23

在客户端

; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
client=yes

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
;chroot = /var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
;setuid = nobody
;setgid = nogroup

; PID is created inside the chroot jail
;pid = /stunnel.pid

; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Certificate/key is needed in server mode and optional in client mode
cert = /yourclient.crt
key  = /yourclient.key

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
CAfile = /yourca.crt
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/etc/stunnel/crls.pem

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

; Example SSL server mode services

[telnet]
accept=localhost:23
connect=yourstunnelserver:5939

当然,仅使用这些文件作为示例,并根据您的配置进行修改您将访问远程服务器

telnet localhost 23

使用安全 TLS 隧道

第三种方法是使用 telnet 和 keberos,这很好,因为无需询问密码并允许 SSO,但需要弱密码,因此不是 100% 安全

在inetd.conf上编辑并添加或修改

telnet  stream  tcp     nowait  root    /usr/kerberos/sbin/telnetd

在客户端做

telnet -x server

如果无需询问密码即可连接正常工作,如果收到询问密码或消息错误,则 telnet 清除

相关内容