Alternate port for Telnet


Results 1 to 11 of 11

Thread: Alternate port for Telnet

  1. #1
    Join Date
    Sep 2003
    Posts
    8

    Alternate port for Telnet

    I just installed RH8 on a system here and I am really new to Linux.

    My LAN is behind a router running NAT. I would like a friend of mine to be able to telnet into the system. Because of NAT, I would use port forwarding on the router but if I do that, I won't be able to telnet into the router itself outside of the LAN (unless I telnet into the system and then piggyback another telnet session into the router using the "backdoor" LAN IP address - unwieldy) Because of this, I would like to set up an alternate port for my friend to telnet in with. I realize I should use a port over 1024.

    So far, I have found this information online:
    http://www.aplawrence.com/Bofcusm/949.html

    I did edit the services file however, my system doesn't have an /etc/inetd.conf file. Anyone know what file I edit?

    Also, what would my friend type into her system to telnet in?

    Thanks!

  2. #2
    Join Date
    Oct 2000
    Location
    Calgary, Alberta, Canada
    Posts
    8,130
    don't use telnet. you will get hacked if you do. it sends plain text usernames and passwords. set up ssh instead.

  3. #3
    Join Date
    Sep 2003
    Posts
    8

    okay.....

    I guess I need to read up more on SSH then. She was going to help me set up the system but it sounds like I better do it myself, at least the SSH.

    Any good online references on how to do that?

  4. #4
    Join Date
    Apr 2001
    Location
    SF Bay Area, CA
    Posts
    14,947
    First of all, grab Putty for any people that are using Windows that you want to let in. Windows doesn't have an SSH client, and Putty is just about the best one out there. You can find it with a Google search for "putty download"; it should be the first hit.

    As for how to set up SSH, it might already be running on your machine. Do a netstat -ln | grep :22 -- and if a line like:

    Code:
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    gets printed, then you already have an SSH server running. All you have to do at that point is forward port 22 on your router to your machine.

    If nothing is listening, then use your distro's tools to look through the services that are installed (refer to your distro's docs for how to do this -- you might be able to use ntsysv as root on RedHat, or /sbin/chkconfig from the command line), and able to be turned on. If ssh is listed but disabled, then enable it, start it, and then do the netstat thing again.

    If ssh isn't listed at all, then check through your distro's installation CDs for the openssl and openssh packages. You'll need both of them installed (openssh depends on openssl). Once they're installed, you should be able to see the ssh service in the services program.

  5. #5
    Join Date
    Sep 2003
    Posts
    8
    Cool....yep, it's on and listening.

    So now don't I need to make a key? I did a "man ssh-keygen" but I have no idea what "type" of key I am making or how to specify it. Also, does my friend need this key as well and how does she get it? How does she comnnect from her Linux box to mine?

    I need to read more on SSH, I guess.

    She is using Linux as well but is not that much further along than I am. :-)

  6. #6
    Join Date
    Sep 2003
    Posts
    8
    Also, do I need to enable SSH on my box? I know you need to enable FTP and Telnet for them to work. I assume I need to do that through a config file.

    BTW, I downloaded Putty to my Win box and will test it from there. Looks pretty straightforward and easy to use. :-)

  7. #7
    Join Date
    Apr 2001
    Location
    SF Bay Area, CA
    Posts
    14,947
    Originally posted by gmichels
    So now don't I need to make a key?
    You don't need to. The default installation of ssh (from source, at least) runs ssh-keygen for you, and I would think that the install of most RPMs should do it also. But I don't know for sure.

    I did a "man ssh-keygen" but I have no idea what "type" of key I am making or how to specify it.
    Hmm. Probably an RSA key (you can also make a DSA key, but RSA should be a touch more secure; DSA's just a bit older, I think). Basically, with RSA, a "key" is just a pair of numbers, one private and one public.

    Also, does my friend need this key as well and how does she get it?

    How does she comnnect from her Linux box to mine?
    Not if you use password authentication. She will need an account on your machine (but she'd need that anyway). The keys are only used to do the encryption of the passwords, and the transfer of them is handled by ssh itself.

  8. #8
    Join Date
    Sep 2003
    Posts
    8
    She does have an account on the system. No problem there. It's getting her TO there that's the issue right now.

    In my /etc/ssh directory, I see:
    moduli
    ssh_host_dsa_key
    ssh_host_dsa_key.pub
    ssh_host_key
    ssh_host_key.pub
    ssh_host_rsa_key
    ssh_host_rsa_key.pub
    ssh_config
    sshd_config

    Looks like all bases are covered to me, keywise.

    So to connect using SSH, would she type:

    ssh 10.10.10.5
    (assuming a valid public IP address)

    How exactly does she eventually (and securely) get the key?
    *still somewhat confused how it all works securely*

    Does this explain things well enough? (good read for me at least)
    http://www.csua.berkeley.edu/ssh-howto.html

    Any other recommended web pages for learning/understanding SSH better?

    Thanks for letting me pick your brain.

  9. #9
    Join Date
    Jul 2001
    Location
    Fife, Scotland
    Posts
    1,794
    I have a solution for you!!! (Again).

    If you go to this post and follow the instructions, I'll send you the firewall script I use.

    What you need to do is forward ports from your (hardware?) router onto your main machine (running a modified and relatively open script) that can then forward appropriate ports onto either SSH or the router.

    BE VERY AWARE that most hardware routers deliberately block access to the web configuration port from it's WAN link so as to prevent hacking. Using this technique will bypass that security.

    James
    -----------------------------
    UseLinux.net
    -----------------------------

    perl -e 'use Math::Complex;$|=1;for$r(0..24){for$c (0..79){$C=cplx(($c/20.0)-3.0,-($r/12.0)+1.0);$Z= cplx(0,0);for($i=0;($i<80)&&(abs($Z)<2.0);$i++){$Z =$Z*$Z+$C;}print$i>=80?"*":" ";}print"\n";}'

  10. #10
    Join Date
    Apr 2001
    Location
    SF Bay Area, CA
    Posts
    14,947
    Originally posted by gmichels
    How exactly does she eventually (and securely) get the key?
    Umm... it's math.

    If you want, I can go into the math explanation, but basically, your public key and private key go hand-in-hand -- nobody else's private key *should* be able to decrypt anything that's been encrypted by your public key (this is used for SSH), and nobody else's public key *should* be able to decrypt anything encrypted by your private key (this is used for digital signatures).

    What happens is, your public key gets sent over the network to her ssh client. Her ssh client first checks its local database of keys -- it keeps a list of what host has what key. If the key entry for the host that she's ssh'ing to (basically, your computer) is the same as the public key that her ssh client got, then the ssh client proceeds. Otherwise, it asks "do you want to accept this public key from this person?".

    If the public key gets accepted, then her ssh client encrypts everything with that public key, and sends it back to you. Only your private key can decrypt it, so your ssh server uses that key to do that.

    (Actually, the two machines only use RSA and public/private keys to exchange another key, then they use that second key to encrypt all the traffic, since encryption and decryption with the other key is faster. But that doesn't really matter.)

  11. #11
    Join Date
    Sep 2003
    Posts
    8
    You can skip the math. I did well in TCP/IP but I am sure this is more complicated. :-)

    It's making MORE sense now....I think. I am going into metaphor mode...seeing if I understand it better.

    I am in an apartment with a 2 doors (me being my computer). One is a door to the sidewalk with a key I hand out to any people requesting to come in (public key). This lets them inside my building but they can't do anything with ME yet. They slip a business card under the door (their private key) and I decide if I want to accept them or not. If I accept them, this gives them permission to come inside and they can come visit me at any time (until I change the locks, of course).

    So the first time she tries to connect to me, I will actually be physically questioned if I want to accept her connection/key? I will need to be on hand to accept (like taking the business card from her)?

    Or was that metaphorically speaking and my computer responds on it's own and I have set that up beforehand somehow?..as in I told the doorman to expect her and to go ahead and let her into my apartment...*L*

    Or can I do both/either (not having seen her business card yet)?

    Thanks again. I think I am getting it....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •