How do I unlock a specific user for telnet?

Running RedHat 9, I am able to log in as root, but I cannot telnet
using the single user account I defined in the system. As root, I
reset the password (using passwd) for that userid, but this doesn't
help - I still cannot telnet into the system using that single user
account.

I created a new (different) user account. No problem - this one is
able to telnet without any problem from the same exact host.

It seems that the first userid got "locked" for some reason, and now
telnet refuses authentication to that userid only.

My question is: how do I unlock it?

Thanks,
Lynn

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2004-09-13, Linux Lover <linuxlover992000@yahoo.com> wrote:
>
> It seems that the first userid got "locked" for some reason, and now
> telnet refuses authentication to that userid only.

First off, use ssh instead of telnet, unless you know why you need
telnet instead of ssh.

Second, read man passwd, and look for the part about locking and
unlocking accounts.

- --keith

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRef2hVcNCxZ5ID8RApG7AJ4560SsHb18HLQQl0PhHE xCm1e6HgCgh5QV
fAfEl6GgFQ+soQZG2esQPh4=
=M5Jf
-----END PGP SIGNATURE-----

linuxlover992000@yahoo.com (Linux Lover) wrote in
news:7687bfbd.0409131017.4381aeef@posting.google.c om:

> Running RedHat 9, I am able to log in as root, but I cannot telnet
> using the single user account I defined in the system. As root, I
> reset the password (using passwd) for that userid, but this doesn't
> help - I still cannot telnet into the system using that single user
> account.

Usually Im all for telnet when someone says in a high panicky voice "NEVER
use TELNET!". But as far as root goes, I must admit that you might not want
to "break" that security feature.

If you have su or sudo then you can achieve basically the same thing. Go in
as yourself and then become root.

Gandalf Parker

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2004-09-13, Gandalf Parker <gandalf@most.of.my.favorite.sites> wrote:
>
> Usually Im all for telnet when someone says in a high panicky voice "NEVER
> use TELNET!". But as far as root goes, I must admit that you might not want
> to "break" that security feature.
>
> If you have su or sudo then you can achieve basically the same thing. Go in
> as yourself and then become root.

If you're against telnet as root, you may also want to reconsider your
position on telnet to su to root, since both methods will broadcast the
root password in plaintext on the local network. sudo is marginally
better, since you'd be limiting the damage that could be done when
someone intercepts your personal password in plaintext on the local
network. (Unless you have an open sudo configuration, of course.)

I don't understand what some people have against ssh in general. Sure,
there are very specific instances where ssh (or sshd) is impractical,
but they are few and far between. If your boxes are capable of supporting
ssh, I see no reason to use telnet instead.

(Here's where Alan starts shrieking about his crappy password system, my
PGP signature, paranoia about encryption, and how the kernel is
bloatware. Oh joy!)

- --keith

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRgaihVcNCxZ5ID8RAuLEAJ0dTx781SzMy2S8tO8sTl sukHspiQCfbMce
EljUr8o7yItm0lYJkrhlbZY=
=rGGe
-----END PGP SIGNATURE-----

Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> writes:

>> If you have su or sudo then you can achieve basically the same thing. Go in
>> as yourself and then become root.
>
> If you're against telnet as root, you may also want to reconsider your
> position on telnet to su to root, since both methods will broadcast the
> root password in plaintext on the local network. sudo is marginally
> better, since you'd be limiting the damage that could be done when
> someone intercepts your personal password in plaintext on the local
> network. (Unless you have an open sudo configuration, of course.)

I'm not sure you're limiting that much, really. Whatever you do, someone
will be able to intercept and emulate the same again, and get clues for how
to extend what you're doing ("oh look, sudo ls works - I wonder if I can
sudo -s?").

> I don't understand what some people have against ssh in general. Sure,
> there are very specific instances where ssh (or sshd) is impractical, but
> they are few and far between. If your boxes are capable of supporting
> ssh, I see no reason to use telnet instead.

There's a certain elegance to the number of things that can be routed over
one protocol - just think, you've got shell, ftp, cp, X, misc
tcp-port-forwarding... just try

telnet you@otherbox "cat > foo" < somefile

and watch it barf its guts up on the first ^[ character.

Of course, with fun comes responsibility. With more eggs in one basket,
that basket had better be pretty secure - so look after your sshd, but at
least be happy you're not broadcasting the secret commands to run your
universe for all to intercept in the process.

> (Here's where Alan starts shrieking about his crappy password system, my
> PGP signature, paranoia about encryption, and how the kernel is
> bloatware. Oh joy!)

Ah, the sweet sight of silence, then. :P)

~Tim
--
21:57:26 up 27 days, 5:32, 5 users, load average: 0.02, 0.07, 0.08
piglet@stirfried.vegetable.org.uk |Running to the light
http://spodzone.org.uk/cesspit/ |

Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote in
news:3edh12xrtj.ln2@goaway.wombat.san-francisco.ca.us:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2004-09-13, Gandalf Parker <gandalf@most.of.my.favorite.sites>
> wrote:
>>
>> Usually Im all for telnet when someone says in a high panicky voice
>> "NEVER use TELNET!". But as far as root goes, I must admit that you
>> might not want to "break" that security feature.
>>
>> If you have su or sudo then you can achieve basically the same thing.
>> Go in as yourself and then become root.
>
> If you're against telnet as root, you may also want to reconsider your
> position on telnet to su to root, since both methods will broadcast
> the root password in plaintext on the local network.

That wasnt really my problem with it. Im aware that SSH is a step up. Why
stop there? There are 9 steps higher.

I was just answering his question. If he wants to telnet and do root then
su will allow it. It wont break the telnet security item (not because you
shouldnt telnet, just that you wont need to mess with that security lock
to do it). And it does allow an extra level of logging which isnt a bad
idea.

> I don't understand what some people have against ssh in general.
> Sure, there are very specific instances where ssh (or sshd) is
> impractical, but they are few and far between. If your boxes are
> capable of supporting ssh, I see no reason to use telnet instead.

Im not against SSH. I think its a good idea to have it on the system. And
a good idea to use it for root. But I no longer have a problem with
telnet. Its been quite awhile since telnet has been any kindof a player
in any of my honeypots, or any systems Ive forensic'd even if telnet was
in heavy use. SSH on the other hand has been a player in just about every
recent event.

(here is where someone flies off the handle and says Im slamming ssh and
that every case could have been avoided with proper upgrading and
security measures)

Im not saying SSH is a bad idea. I just dont find it to be nearly as cut-
and-dried as some seem to. Of course, just saying so might be self
defeating. The fact that ssh is a major player and telnet isnt will most
likely be due to the shift in popularity which causes a shift in the
attentions of those trying to slip in. If I ever convinced a large number
of people to switch their thinking, well then Id just have to change
sides again. :)

DISCLAIMER: Any time anyone asks if they should use telnet or ssh, the
answer should be ssh. Certain answers should be automatic simply because
the person was new enough to the subject that they needed to ask the
question at all.

Gandalf Parker

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2004-09-13, Gandalf Parker <gandalf@most.of.my.favorite.sites> wrote:
>
> Im not saying SSH is a bad idea. I just dont find it to be nearly as cut-
> and-dried as some seem to.

Okay, I think we agree, then. I strive to use ssh whenever possible,
but every once in a while (maybe .1% of the time) I use telnet instead.

> DISCLAIMER: Any time anyone asks if they should use telnet or ssh, the
> answer should be ssh. Certain answers should be automatic simply because
> the person was new enough to the subject that they needed to ask the
> question at all.

That's fine, but the OP asked about telnet without seeming to be aware
of ssh. Thus, warnings about "use ssh" should be automatic there, too.
I think that if anyone posts questions about telnet (especially in
col.security!), they should make explicit that they have discounted
using ssh for reasons x, y, and z, so that the discussion can focus both
on how to use telnet for such purpose, and how ssh might be usable in
that situation after all.

So, to paraphrase your disclaimer:

DISCLAIMER: Any time anyone asks if they should use telnet or ssh, or
asks about using telnet without mentioning ssh, the answer should be
ssh. Certain answers should be automatic simply because
the person was new enough to the subject that they needed to ask the
question at all.

Obviously, implicit in my version of the disclaimer is that the telnet
question is about using telnet for a terminal, not for telnetting to a
host's port 80 to see what the web server is doing. :)

- --keith

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRiVGhVcNCxZ5ID8RAqsyAJ9UkTvck+UlDMdpiikCY9 i/+WnDYACfWzjh
GOGIcOjYIW8WgRNhpR/4EYs=
=Qtcq
-----END PGP SIGNATURE-----

>Okay, I think we agree, then. I strive to use ssh whenever possible,
>but every once in a while (maybe .1% of the time) I use telnet instead.

When do you need to use telnet?

None of the systems I work on have telnet so I've never encountered
a case where I would want to use it. (I suppose it might be a reasonable
risk on a small local LAN, but I need ssh to get off LAN anyway so I use it
locally too.)

--
The suespammers.org mail server is located in California. So are all my
other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
commercial e-mail to my suespammers.org address or any of my other addresses.
These are my opinions, not necessarily my employer's. I hate spam.

hmurray@suespammers.org (Hal Murray) wrote in
news:tK6dnaVp_cHHqNvcRVn-pA@megapath.net:

>>Okay, I think we agree, then. I strive to use ssh whenever possible,
>>but every once in a while (maybe .1% of the time) I use telnet
>>instead.
>
> When do you need to use telnet?
>
> None of the systems I work on have telnet so I've never encountered
> a case where I would want to use it. (I suppose it might be a
> reasonable risk on a small local LAN, but I need ssh to get off LAN
> anyway so I use it locally too.)

I have telnet on all my servers and I use it almost exclusively. In fact
the only time I use SSH is when Im doing root work on someone elses
system. Mostly because Im using softwares and techniques that I like,
and have yet to see enough reason to switch.

As far as "need" to? I cant really come up with much except maybe MUD
games or as an alternate way into the system if need be. There is no
security problem as far as I know for telnet which isnt being used.

But I have started switching my security scripts from ssh to telnet.
Backdoor scripts to get back in. Things like a certain account watching
for certain emails, or cron watching for an http request to a non-
existant cgi. Using the script-kiddies tools against them. I used to have
them open ssh on some odd port, maybe swap out the password file at the
same time. But the skiddies are now very ssh aware. Its gotten handier to
open telnet on an odd port and give it a mud-looking response screen.
Lately they know all about ssh and have no clue what to do with telnet.
Ive even had a couple of nice saves where the skiddies scripts shutdown
or locked up sshd but left the telnet running.

But this is NOT to be taken as a recommendation. Just FYI if you were
curious.

Gandalf Parker

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2004-09-14, Hal Murray <hmurray@suespammers.org> wrote:
[> I wrote:]
>>Okay, I think we agree, then. I strive to use ssh whenever possible,
>>but every once in a while (maybe .1% of the time) I use telnet instead.
>
> When do you need to use telnet?

Some devices do not provide sshd daemons, so for those devices telnet is
required. Some of the UPS PDUs that I've used are that are remotely
accessible provide telnetd, but no sshd, for example.[0] Till recently,
it was very difficult to fit an sshd on a floppy-based distro. I can
imagine it might be quite difficult to try to fit an sshd into what is
probably a very limited environment. In those cases, I try to limit the
damage, by being on the local network when I use telnet (which is no
guarantee of safety, of course).

- --keith

[0] Apparently some older PDUs have a root exploit in their telnetd, so
it needs to be turned off until you can upgrade the firmware, which is
fairly nontrivial.

- --
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRj5whVcNCxZ5ID8RAkw6AJ4znuiNsH9J2t5cR90RQd zq1lt0fwCfV612
aX50i0uO2zynqDW3wr803gc=
=UX3A
-----END PGP SIGNATURE-----