# Enabling Telnet access



## EndTell (Sep 24, 2000)

OK, a total newbie question. How does one enable Telnet access in OS X PB? Do I need to go into the hostconfig file and add something? I'd rather not be mucking around  too much but, I need to be able to Telnet into my machine at work in order to have shell access from home.  I know the machine is on the network because I can connect to it via AFP in OS 9. I'm sure this is something real simple. Anyone?

TIA


----------



## Lister (Sep 24, 2000)

ok here's how ...

log in as root 
command: su
then enter your main password
then cd to /etc
pico inetd.conf
or use vi or emacs to edit it 
then uncomment the line saying telnet

the # is the commenting symbol...just remove it from the line that begins with 'telnet'
save it then reboot
however; I don't recommend this since its insecure as all hell....I'm looking for a way to enable sshd which is a lot better
-Lister


----------



## smallerdemon (Sep 25, 2000)

If you launch Desktop, go to Applications>Utilties>Terminal.  From there you can telnet wherever you want.


----------



## EndTell (Sep 25, 2000)

Thanks Lister, that worked perfectly. Muchos gracias amigo! If you get the sshd thing figured out lemme know. I love the idea of having shell access but the security thing spooks me a little.


----------



## schnell (Sep 25, 2000)

From the GUI, go to System Preferences > Sharing. From there, click on the "lock" icon in the bottom left and enter your "administrator" password so you can edit the (normally grayed-out) settings. Then click on the button to "turn remote Telnet access" on. 

FWIW, I have no idea why Apple chose to allow Telnet as a potential service (at least for this release), since SSH allows the equivalent functionality with much greater security. Telnet sends your username and password in plain text, analogous to HTTP; SSH is equivalent to running your telnet session analogous to running a web site through a HTTPS "secure" (encrypted) server. If you wouldn't send your credit card over an unencrypted link, you probably shouldn't be sending your username/password over it, either.

I suppose it's probably because the RSA patents which controlled access to the SSH algorithms in the U.S. were only released into the public domain this month.However, since they've been released, I hope that SSH will become the default in the future (or else Apple is risking serious security issues for its users).


----------



## smallerdemon (Sep 26, 2000)

> _Originally posted by smallerdemon _
> *If you launch Desktop, go to Applications>Utilties>Terminal.  From there you can telnet wherever you want.
> *



Whoops.  Sorry, though you were asking how to access telnet.


----------



## sverre (Sep 26, 2000)

To enable sshd just add the line SSHSERVER=-YES- to /etc/hostconfig. This is where you should've enabled telnet support as well (or in System Preferences, which edits this file for you)


----------



## Dr_Stein (Sep 27, 2000)

I found a bit more to it than just adding the line to /etc/hostconfig... what about ssh-keygen? I got it to work by..
1)adding SSHSERVER=-YES- to /etc/hostconfig (notice the other cool things in there?)

2)su to root.. type /usr/sbin/sshd and pay attention to the error you get..it says something about "error: could not load host key: /etc/ssh_host_key: No such file or directory"

Ahh!! Here's where the problem lies..

3)type ssh-keygen and it'll say "Generating RSA keys...." and will ask you where to save. I just told it /etc/ssh_host_key and saved it (it'll ask for a passphrase for the key) 

4)type /usr/sbin/sshd again. This tile, it'll just tell you that it's disabling protocol version 2, but ssh1 will still work. (NiftyTelnet SSH only does SSH1, IIRC... and older versions of SecureCRT too. Licencing issues with ssh2?)

5)ssh into the box, say "yeah, I accept the host key" and have fun!

If there's any more anybody else can add, feel free... this is just how I got it to work.


----------



## sverre (Sep 28, 2000)

Well, I didn't get this error, and in fact it seems sshd generates a key automatically. But I suppose it doesn't hurt. 
Anyway to generate /etc/ssh_host_dsa_key for use with ssh2 use ssh-keygen -d


----------



## Dr_Stein (Sep 28, 2000)

Ah! I had the issue pop up on two different machines, both of with had nothing but a format + reinstall of 9.0.4 and then MacOS X PB... did you install some other stuff or something? 

Cool.. we've written a mini-SSH how-to here.. yay!


----------



## Pascal (Sep 28, 2000)

I understand that telnet (as opposed to SSH) is not secure. When one runs a telnet process on OS X, does it have to open the whole computer to any passer-by or one can only assign a specific folder to view (like sharing can do under OS 9) ?

Also, what is the whole point about the security of passwords with telnet ? When I use my email app, for instance, my password is not encrypted between my computer and my ISP's email server (as far as I know), nor is the rest of the communication for that matter. So I do not see why suddenly, with telnet, encryption should be the rage...

Please do not flame me : I am only trying to understand. (Rest assured : with proper explanations, I usually do !)


----------



## Lister (Sep 28, 2000)

First of all, starting a telnet window to telnet to the outside world will not automatically open up your computer to attack...if anything it will just risk your acct on the remote system and/or the isp you are telnetting to.  It really has nothing to do with your system unless you synchronized the the login and password to be the same as your acct on mac os x.  Your ISP may have other security protecting root access such as IP discrimination and only certain logins allowed to su to root which will allow them to not have to use the overhead of encryption.
Now what we are talking about is the daemon you will run to give a terminal access to your computer which will be telnetd or sshd.  This allows you to come in from somewhere else (this may be already obvious to you not to insult you).
Now the answer you've been waiting for ...why is sshd all the rage...simply put ..because people finally *woke up*.  Crackers and script kiddies have had a honeymoon period where nobody realized that email and passwords were being thrown across the line and easily sniffable.  Basically clear text telnet is like shouting your dirty laundry via a bullhorn through the electronic neighborhood.  
I will never recommend to anyone to ever put up a telnet server for one second .....ever.


----------



## Lister (Sep 28, 2000)

First of all, starting a telnet window to telnet to the outside world will not automatically open up your computer to attack...if anything it will just risk your acct on the remote system and/or the isp you are telnetting to.  It really has nothing to do with your system unless you synchronized the the login and password to be the same as your acct on mac os x.  Your ISP may have other security protecting root access such as IP discrimination and only certain logins allowed to su to root which will allow them to not have to use the overhead of encryption.
Now what we are talking about is the daemon you will run to give a terminal access to your computer which will be telnetd or sshd.  This allows you to come in from somewhere else (this may be already obvious to you not to insult you).
Now the answer you've been waiting for ...why is sshd all the rage...simply put ..because people finally *woke up*.  Crackers and script kiddies have had a honeymoon period where nobody realized that email and passwords were being thrown across the line and easily sniffable.  Basically clear text telnet is like shouting your dirty laundry via a bullhorn through the electronic neighborhood.  
I will never recommend to anyone to ever put up a telnet server for one second .....ever.


----------



## Pascal (Sep 28, 2000)

I have a much better understanding of the whole situation , thanks to your explanation : Vielen Dank ! Let me tell you that I will definitely need a lot of _Aqua_ if I want to be able to swallow all that UNIX !  It definitely isn't _my_ cup of tea, but I still want to have a better understanding of what is going on...





> Now what we are talking about is the daemon you will run to give a terminal access to your computer which will be telnetd or sshd. This allows you to come in from somewhere else.


Not a single part of an explanation is superfluous, even when it may appear to you so, said a sage one day... (who, by the way, was apparently not <A HREF="http://www.apple.com/hardware/ads/sage.html">green</A>.)

Now that I am enlightened, may I venture a re-explanation and please tell me if I am right :
1- I set up telnetd : this allows me to access my Mac from somewhere else on the planet.
2- To access my Mac, I still need a password, so even with traditional telnetd on (instead of sshd), nobody that hasn't the password cannot access my Mac.
3- I access my Mac from somewhere else : since I installed telnetd, everything is in the clear (password _and_ content of the transaction).
4- Saddam Hussein (who has a vested interest in spying everything I do) sniffs my interactions with my Mac on the phone and sees my password since it is the clear (I dumbly used telnetd). It is at that moment that the security is breached.
5- From then on, Saddam can access _my_ Mac using _my_ password so _my_ data is not safe anymore (or worse : my Mac is now free to be used to send Denial of service attacks).

Right ?


----------



## Lister (Sep 29, 2000)

sorry for the double posts I think I pushed the back button when I shouldn't have....
Yeah you got it Saddam would at least have an acct on your system...which is too much ground gained even if they can't get any further...because there are always more vulnerabilities from then on...
-Lister


----------

