(?) The Answer Gang (!)


By Jim Dennis, Ben Okopnik, Dan Wilder, Breen, Chris, and the Gang, the Editors of Linux Gazette... and You!
Send questions (or interesting answers) to linux-questions-only@ssc.com

There is no guarantee that your questions here will ever be answered. Readers at confidential sites must provide permission to publish. However, you can be published anonymously - just let us know!

(?) inetd and figlet

From Nick Moffitt

Answered By Ben Okopnik, Heather Stern, Don Marti

(?) I run a server machine, and I have telnet disabled in favor of OpenSSH. What I have done is add the following line to my /etc/inetd.conf: 

telnet  stream  tcp     nowait  nobody.nogroup  /usr/sbin/tcpd /usr/bin/figlet Unauthorized access prohibited.  Go away.

The idea is to print out a "NO TRESSPASSING" sign in big block letters using the figlet utility. It works great, and when I run "telnet localhost" from this machine, I see:

----8<---- 

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
 _   _                   _   _                _             _
| | | |_ __   __ _ _   _| |_| |__   ___  _ __(_)_______  __| |
| | | | '_ \ / _` | | | | __| '_ \ / _ \| '__| |_  / _ \/ _` |
| |_| | | | | (_| | |_| | |_| | | | (_) | |  | |/ /  __/ (_| |
 \___/|_| |_|\__,_|\__,_|\__|_| |_|\___/|_|  |_/___\___|\__,_|

                                               _     _ _     _ _           _
  __ _  ___ ___ ___  ___ ___   _ __  _ __ ___ | |__ (_) |__ (_) |_ ___  __| |
 / _` |/ __/ __/ _ \/ __/ __| | '_ \| '__/ _ \| '_ \| | '_ \| | __/ _ \/ _` |
| (_| | (_| (_|  __/\__ \__ \ | |_) | | | (_) | | | | | |_) | | ||  __/ (_| |_
 \__,_|\___\___\___||___/___/ | .__/|_|  \___/|_| |_|_|_.__/|_|\__\___|\__,_(_)
                              |_|
  ____
 / ___| ___     __ ___      ____ _ _   _
| |  _ / _ \   / _` \ \ /\ / / _` | | | |
| |_| | (_) | | (_| |\ V  V / (_| | |_| |_
 \____|\___/   \__,_| \_/\_/ \__,_|\__, (_)
                                   |___/
Connection closed by foreign host.

----8<----

This is all well and good, but when I try telnetting from a remote machine, it's a crap shoot. Sometimes I'll get the whole banner, and sometimes I'll get nothing. One machine reliably prints out the correct text up until it ends as follows:

----8<---- 

  ____
 / ___| ___     __ ___      ____ _ _   _
| |  _ / _ \   / _` \ \ /\ / / _` | | | |
| |_| | (_) | | (_| |\ V  V / (_| Connection closed by foreign host.

----8<----

What could be causing this, and how should I fix it?

(!) [Ben] Arrgh. I haven't looked at the actual code of "inetd", but I'm cringing at the idea of running a text-printing app from /etc/init.d (vs. spawning a listener process, which is what it's supposed to do.) It seems to me that you're bound to run into problems with gross hackage of that sort.
(!) [Heather] I thought I recalled this is what the fingerd was for. In this case it'd be wickedly apropos (wicked being the operative word) to twist finger to doing what you want... so you can give some poor telnet-using sap "the finger" as it were.
If you are going to hack source anyway, hack source of something that's closer to doing the right job, I'd think.
(!) [Ben] If I was going to do something like that, I think I would leave in.telnetd running - there isn't even a process other than inetd until someone requests one - have "/etc/hosts.deny" set up to deny everyone, and set up my "BANNER" line in "/etc/default/telnetd" to print out that message.
(!) [Heather] Does that give you the message before, or after it offers a login attempt? If before, then surely he can hack a copy of telnetd whose login prompt is completely bogus, and that will never let anyone in.
(!) [Ben] Actually, I found something that might be even better for the purpose. These days, "telnetd" is actually "in.telnetd" - Wietse Venema's wonderful wrapper - and uses "/usr/lib/telnetd/login" to negotiate the login process. It's something that's _supposed_ to do real-time interaction with the user. Move "login" to "login.old"; replace it with 
#!/bin/sh
figlet 'Go away!'
It should work fine. Should be fairly secure, too.
(!) [Don] When I try this telnetting from ssc.com to my test machine I get nothing, and using this figlet_wrapper script instead of calling figlet directly fixes it for me. 
#! /bin/sh

/usr/bin/figlet $*  && sleep 1

(?) Aha, yeah. That seems to do the trick.

(!) [Don] I tried rebuilding figlet with a bunch of fflush(0)s in it, and it seems like I'm getting more text but not all of it.

(?) Yeah, I got the same thing when I tried that. I had considered doing something to tcpd that would make it handle leftover buffers more correctly, but putting in the sleep seems to work well enough for me.

Thanks!

This page edited and maintained by the Editors of Linux Gazette Copyright © 2001
Published in issue 70 of Linux Gazette September 2001
HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/

[ Table Of Contents ][ Answer Guy Current Index ] greetings   1   2   3   4   5   6   7   8   9   10   11 [ Index of Past Answers ]