2
0
I'm looking for a simple way to accept telnet connections without providing a shell interface, kind of like a MUD server. I'm actually looking to serve static content, more like:
telnet towel.blinkenlights.nl
The server will have to launch a new instance of a third-party application (in this case, VLC) for each new telnet connection, and deliver the application's output (ASCII video rendering) directly to the remote user.
Any suggestions for where I can start here?
@Scott:
.profile
isn't a security measure and can be easily bypassed (both with telnet (at leash with bash) and ssh). – Aleksi Torhamo – 2015-01-01T17:40:29.350ASCII video rendering probably means aalib
– Alan Curry – 2012-08-20T21:27:15.697That's correct. I'm experimenting with an aalib-based telnet video player. I'll see if it's possible to adapt your solution to use a shell script wrapper.
The other complication is that the telnet server should accept anonymous logins (and no user login). Port 22 uses an IP whitelist, but port 23 will have to be wide open.
Thanks for the response. I'll have to look into the security implications further before accepting it, but I appreciate the effort you've put in. I don't have enough rep to vote up just yet. – Mikkel – 2012-08-20T21:35:26.280
Well, most (it not all) versions of *nix let you configure users with no password. If you created a user of, say,
vlc
, with no password, and publicized that, would that satisfy your anonymity requirement? – Scott – 2012-08-20T21:45:54.597You could add logic to
vlc
's.profile
to validate the source address, but that would provide very little security. – Scott – 2012-08-20T21:52:56.007Looks like this functionality is supported in
telnetd
on Ubuntu, but I'm still investigating. I have, however, managed to get the video to play for an authenticated usertest
by writing a simple shell script and setting it as login shell:#!/bin/bash \n cvlc -V aa /var/local/vlc/test.mp4
(Using \n in place of newline here because Superuser collapses line breaks in replies.) – Mikkel – 2012-08-20T22:07:20.470@Scott, you seem to be misunderstanding my security concerns. I work it a high-traffic production environment where security is a major concern, so anything granting shell/database access is subject to strict whitelisting. The telnet project would have to be publicly-accessible, so under no circumstances should it be possible to get even a shell prompt via telnet. My other major concern has been ensuring that in the event that VLC crashes, the session will exit cleanly without ever providing a prompt, but that doesn't seem to be an issue with a custom shell. – Mikkel – 2012-08-20T22:17:42.137
Well, that's why I said
exec /usr/bin/cvlc ...
-- theexec
causes the shell process to be replaced by the VLC process, so even if VLC crashes, there is no shell process left. OK, yes, you would need to add error handling to catch the case where theexec
fails (i.e., VLC fails to start) and make sure that the user cannot CTRL+C out before theexec
, etc... – Scott – 2012-08-21T23:04:22.543And perhaps you misunderstood my second comment. I was suggesting that the
.profile
could be the thing that enforces the whitelist. – Scott – 2012-08-21T23:04:53.367