[plug] Linux replacing terminal server

Craig Ringer craig at postnewspapers.com.au
Thu Apr 3 11:25:52 WST 2003 

> The main issue I have are with the "support" files required by telnet.
> i.e. the shared libraries, possibly even obtuse stuff like termcap.
> (telnet uses libncurses.so).  Trial and error.

... and heavy use of "ldd <lib-or-app-file>" + strace.

[craig at bucket bin]$ ldd telnet
         libutil.so.1 => /lib/libutil.so.1 (0x40028000)
         libncurses.so.5 => /usr/lib/libncurses.so.5 (0x4002c000)
         libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[craig at bucket bin]$ ldd /usr/lib/libncurses.so.5
         libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
[craig at bucket bin]$ ldd /lib/libutil.so.1
         libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

In terms of libraries, telnet needs very little. I suspect that copying 
those libraries, the terminfo db (/etc/terminfo or /usr/share/terminfo) 
and the termcap file should put you most of the way there.

You can always
	"strace telnet 2>/tmp/telnet_trace"
to track what its doing and what files it opens.

[craig at bucket craig]$ grep 'open' /tmp/teltrace | grep -v ENOENT
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libutil.so.1", O_RDONLY)     = 3
open("/usr/lib/libncurses.so.5", O_RDONLY) = 3
open("/lib/i686/libc.so.6", O_RDONLY)   = 3
open("/etc/resolv.conf", O_RDONLY)      = 3
open("/etc/nsswitch.conf", O_RDONLY)    = 3
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libnss_files.so.2", O_RDONLY) = 3
open("/etc/host.conf", O_RDONLY)        = 3
open("/etc/hosts", O_RDONLY)            = 3
open("/etc/services", O_RDONLY)         = 3
open("/etc/hosts", O_RDONLY)            = 3
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libnss_dns.so.2", O_RDONLY)  = 3
open("/lib/libresolv.so.2", O_RDONLY)   = 3
open("/etc/hosts", O_RDONLY)            = 3
open("/etc/hosts", O_RDONLY)            = 3
open("/usr/share/terminfo/x/xterm", O_RDONLY) = 4

That was run on RH8, but my results on my debian woody box were similar. 
  Shouldn't be too hard. At the risk of slightly weakening chroot 
security, you can use hardlinks for things like /etc/hosts and 
/etc/services to save later maintainance hassles, too. Alternately, 
there's always libnss and something like LDAP or (ick) NIS.

> And you're really only protecting a terminal server. I mean, if you
> really wanted to hack into it, you'd follow the short serial cable
> and undo the screws. No chroot gaol will prevent that.

True, but its much easier to have a little app capturing terminal 
session traffic and dumping paswords than it is to have a serial "man in 
the middle" to do the same thing.

> As I said before; the pickings are far more generous at the main
> server.

But the terminal server /is/ a potential avenue to the main server via 
hijacking of telnet sessions, password theft, etc. Of course the big 
server is a jucier target, but its presumably hardened proportionally.

Craig

More information about the plug mailing list