Non-command line Telnet server

I'm looking for a simple way to accept telnet connections without providing a shell interface, kind of like a MUD server. I'm actually looking to serve static content, more like:

telnet towel.blinkenlights.nl

The server will have to launch a new instance of a third-party application (in this case, VLC) for each new telnet connection, and deliver the application's output (ASCII video rendering) directly to the remote user.

Any suggestions for where I can start here?

Mikkel

Posted 2012-08-20T19:09:55.170

Reputation: 585

Answers

The simple-minded solution is to make VLC the users' login shell, as in:

joe:AU03oahyYRjl6:1234:56:Joe Smith:/usr/joe:/usr/bin/cvlc

or whatever program you want to run. A limitation to this is that you cannot specify command-line arguments. You probably need to have normal passwd entries:

joe:AU03oahyYRjl6:1234:56:Joe Smith:/usr/joe:/bin/sh

and then give each user a .profile that says

exec /usr/bin/cvlc --(your options) playlist.xspf

or whatever arguments you want.

I'm not sure what you mean by "ASCII video rendering". Do you want to play audio/video on the user's workstation? Is the user running an X11 server? If so, you should put

w=`who am i`
d=`expr "$w" : '.*(\(.*\))'`

into the .profile, and then add

--x11-display "$d":0

to your options. Warning: there are various conditions that can cause this to fail.

Scott

Posted 2012-08-20T19:09:55.170

Reputation: 17 653

@Scott: .profile isn't a security measure and can be easily bypassed (both with telnet (at leash with bash) and ssh). – Aleksi Torhamo – 2015-01-01T17:40:29.350

ASCII video rendering probably means aalib

– Alan Curry – 2012-08-20T21:27:15.697

That's correct. I'm experimenting with an aalib-based telnet video player. I'll see if it's possible to adapt your solution to use a shell script wrapper.

The other complication is that the telnet server should accept anonymous logins (and no user login). Port 22 uses an IP whitelist, but port 23 will have to be wide open.

Thanks for the response. I'll have to look into the security implications further before accepting it, but I appreciate the effort you've put in. I don't have enough rep to vote up just yet. – Mikkel – 2012-08-20T21:35:26.280

Well, most (it not all) versions of *nix let you configure users with no password. If you created a user of, say, vlc, with no password, and publicized that, would that satisfy your anonymity requirement? – Scott – 2012-08-20T21:45:54.597

You could add logic to vlc's .profile to validate the source address, but that would provide very little security. – Scott – 2012-08-20T21:52:56.007

Looks like this functionality is supported in telnetd on Ubuntu, but I'm still investigating. I have, however, managed to get the video to play for an authenticated user test by writing a simple shell script and setting it as login shell: #!/bin/bash \n cvlc -V aa /var/local/vlc/test.mp4 (Using \n in place of newline here because Superuser collapses line breaks in replies.) – Mikkel – 2012-08-20T22:07:20.470

@Scott, you seem to be misunderstanding my security concerns. I work it a high-traffic production environment where security is a major concern, so anything granting shell/database access is subject to strict whitelisting. The telnet project would have to be publicly-accessible, so under no circumstances should it be possible to get even a shell prompt via telnet. My other major concern has been ensuring that in the event that VLC crashes, the session will exit cleanly without ever providing a prompt, but that doesn't seem to be an issue with a custom shell. – Mikkel – 2012-08-20T22:17:42.137

Well, that's why I said exec /usr/bin/cvlc ... -- the exec causes the shell process to be replaced by the VLC process, so even if VLC crashes, there is no shell process left. OK, yes, you would need to add error handling to catch the case where the exec fails (i.e., VLC fails to start) and make sure that the user cannot CTRL+C out before the exec, etc... – Scott – 2012-08-21T23:04:22.543

And perhaps you misunderstood my second comment. I was suggesting that the .profile could be the thing that enforces the whitelist. – Scott – 2012-08-21T23:04:53.367

http://www.dest-unreach.org/socat/doc/socat.html#EXAMPLE_ADDRESS_EXEC

socat TCP4-LISTEN:5555,fork,tcpwrap=script \
EXEC:/bin/myscript,chroot=/home/sandbox,su-d=sandbox,pty,stderr

a simple server that accepts connections (TCP4-LISTEN) and fork's a new child process for each connection; every child acts as single relay. The client must match the rules for daemon process name "script" in /etc/hosts.allow and /etc/hosts.deny, otherwise it is refused access (see "man 5 hosts_access"). For EXEC'uting the program, the child process chroot's to /home/sandbox, su's to user sandbox, and then starts the program /home/sandbox/bin/myscript. Socat and myscript communicate via a pseudo tty (pty); myscript's stderr is redirected to stdout, so its error messages are transferred via socat to the connected client.

You could change 5555 to 23 (Telnet's default port number)

Change /bin/myscript to your VLC script or binary.

http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_TYPES

EXEC:<command-line>

Forks a sub process that establishes communication with its parent process and invokes the specified program with execvp() . <command-line> is a simple command with arguments separated by single spaces. If the program name contains a '/', the part after the last '/' is taken as ARGV[0]. If the program name is a relative path, the execvp() semantics for finding the program via $PATH apply. After successful program start, socat writes data to stdin of the process and reads from its stdout using a UNIX domain socket generated by socketpair() per default.

I believe similar solutions are possible using netcat or inetd

RedGrittyBrick

Posted 2012-08-20T19:09:55.170

Reputation: 70 632

If this is a linux system, use inetd or xinetd. Create a new service pointing to the standard telnet port and specify your executable as the actual service.

LawrenceC

Posted 2012-08-20T19:09:55.170

Reputation: 63 487