From Newsgroup: comp.security.misc

Hi,

In a Linux X Window System, is "telnet localhost" less secure than
"xterm localhost"? If so, why?

Thx, ... P.



--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

On 12.03.2025 06:41 Uhr peter@easthope.ca wrote:

In a Linux X Window System, is "telnet localhost" less secure than
"xterm localhost"? If so, why?

It gives me
m@ryz:~$ xterm localhost
xterm: No absolute path found for shell: localhost

Is that what you ran?

What should it do?

telnet offers you to login if a telnet server is running. As long this connection is only inside your system, this is secure. If it is going
outside, you need to have an underlaying protocol (IPsec or a VPN
tunnel) to avoid eavesdropping, as normal telnet is not encrypted.
--
kind regards
Marco

Send spam to 1741758067muell@stinkedores.dorfdsl.de

--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

Marco Moock <mm@dorfdsl.de> writes:

On 12.03.2025 06:41 Uhr peter@easthope.ca wrote:

In a Linux X Window System, is "telnet localhost" less secure than
"xterm localhost"? If so, why?

It gives me
m@ryz:~$ xterm localhost
xterm: No absolute path found for shell: localhost

Is that what you ran?

What should it do?

That’s the expected behavior. It tries to run ‘localhost’ as a shell and of course, it doesn’t exist.
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

Marco, Richard & all,

In article <20250312170838.7d5b1e1c@ryz.dorfdsl.de>, Marco Moock <mm@dorfdsl.de> wrote:

It gives me
m@ryz:~$ xterm localhost
xterm: No absolute path found for shell: localhost

Is that what you ran?

Correction: I should have asked, is "telnet localhost" less secure
than "xterm"?

telnet offers you to login if a telnet server is running.

In Debian,
# grep ^telnet /etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd -E /bin/bash

Nobody other than me has an account on the system. I authenticate
after the system boots or when returning after logout. Neither "telnet localhost" nor "xterm" asks for a password.

As long this connection is only inside your system, this is
secure. If it is going outside, you need to have an underlaying
protocol (IPsec or a VPN tunnel) to avoid eavesdropping, as normal
telnet is not encrypted.

Shorewall is configured to prevent a telnet connection from outside
localhost.

So my configuration is unusual but not particularly hazardous?

Thanks, ... P.

--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

On 13.03.2025 08:28 Uhr peter@easthope.ca wrote:

Marco, Richard & all,

In article <20250312170838.7d5b1e1c@ryz.dorfdsl.de>, Marco Moock <mm@dorfdsl.de> wrote:

It gives me
m@ryz:~$ xterm localhost
xterm: No absolute path found for shell: localhost

Is that what you ran?

Correction: I should have asked, is "telnet localhost" less secure
than "xterm"?

Completely different stuff. xterm just opens a terminal emulator on
your system. telnet connects to a telnet server, usually a remote
system.

telnet offers you to login if a telnet server is running.

In Debian,
# grep ^telnet /etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd -E
/bin/bash

Nobody other than me has an account on the system. I authenticate
after the system boots or when returning after logout. Neither
"telnet localhost" nor "xterm" asks for a password.

If telnet doesn't ask for a password, this is a security problem if
other people (locally or remote) can access the telnet server.

As long this connection is only inside your system, this is
secure. If it is going outside, you need to have an underlaying
protocol (IPsec or a VPN tunnel) to avoid eavesdropping, as normal
telnet is not encrypted.

Shorewall is configured to prevent a telnet connection from outside localhost.

So my configuration is unusual but not particularly hazardous?

As long as it stays so, it is. But when other people can access it,
they can take over control of your system.

Now a really stupid question: Why do you need a local telnet server?
Isn't xterm, and if needed, su, enough?
--
kind regards
Marco

Send spam to 1741850935muell@stinkedores.dorfdsl.de

--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

peter@easthope.ca writes:

Marco Moock <mm@dorfdsl.de> wrote:

It gives me
m@ryz:~$ xterm localhost
xterm: No absolute path found for shell: localhost

Is that what you ran?

Correction: I should have asked, is "telnet localhost" less secure
than "xterm"?

They do different things, so it’s not clear why you’d compare them.

telnet offers you to login if a telnet server is running.

In Debian,
# grep ^telnet /etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd -E /bin/bash

Nobody other than me has an account on the system. I authenticate
after the system boots or when returning after logout. Neither "telnet localhost" nor "xterm" asks for a password.

A telnetd without a password will allow lateral movement from other
UIDs.

-
https://www.greenend.org.uk/rjk/
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

On 3/12/25 8:41 AM, peter@easthope.ca wrote:

In a Linux X Window System, is "telnet localhost" less secure than
"xterm localhost"? If so, why?

It's difficult to say, there isn't enough information to actually answer
the question. See below for more context.



On 3/13/25 2:10 PM, Marco Moock wrote:

Completely different stuff. xterm just opens a terminal emulator on
your system. telnet connects to a telnet server, usually a remote
system.

On one hand I agree that telnet and XTerm are different things. But on
the other hand, I disagree.

Both commands are used to open a shell on a system.

Telnet is usually a remote system but can be the local system.

Xterm is usually the local system, but can very easily be used across
the network.

So in some ways, both telnet and XTerm open a shell on the local and /
or remote system.

Also, both are traditionally unencrypted protocols. There are some TLS encrypted telnet servers and clients. Admittedly they are usually
relegated to the the mainframe space.

I think one of the biggest hangups for me is where and how are `telnet localhost` and `xterm` being run? Is `telnet localhost` being run from
a shell? If so, what is displaying that shell? A terminal emulator;
e.g. XTerm? Or possibly a (virtual) console (no X11)? Or maybe even a physical console on a serial port?

I suppose there are also GUI telnet clients that are also their own
terminal emulator.

If telnet doesn't ask for a password, this is a security problem if
other people (locally or remote) can access the telnet server.

Maybe. Maybe not. Kerberized telnet clients have existed for quite a
while. Just because something doesn't ask for a password doesn't mean
that it's not authenticated.

As long as it stays so, it is. But when other people can access it,
they can take over control of your system.

I think it's important to understand what is providing the security (authentication <-> privacy) and how various things influence / impact that.

Now a really stupid question: Why do you need a local telnet server?
Isn't xterm, and if needed, su, enough?

I think that it's a fair question. I think it's orthogonal to the OP's original question. But you did ask it after providing good responses to
the OP's question.
--
Grant. . . .
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

In article <20250313201054.0371059b@ryz.dorfdsl.de>,
Marco Moock <mm@dorfdsl.de> wrote:

Now a really stupid question: Why do you need a local telnet server?
Isn't xterm, and if needed, su, enough?

Absoutely reasonable to ask. The client side of the communication
does not have xterm or su.
https://en.wikibooks.org/wiki/Oberon/A2

A2 has a secure shell but I tend to use the Oberon subsystem.
Oberon has an old ssh client. Needs major work for compatibility
with the current environment.

From: Richard Kettlewell <invalid@invalid.invalid>
Date: Thu, 13 Mar 2025 21:11:40 +0000

A telnetd without a password will allow lateral movement from other
UIDs.

I am the only user of the system and it has shorewall and I give a
password to log in. As I understand, laterality isn't possible.

As a system becomes more complex, there is more scope for vulnerability.
Eg. https://en.wikipedia.org/wiki/XZ_Utils_backdoor

The reply of Prof. Wirth to the question at 49:40 is pertinent.
"No side doors and no backdoors."
https://www.youtube.com/watch?v=EXY78gPMvl0

Regards, ... P.



--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

peter@easthope.ca writes:

Marco Moock <mm@dorfdsl.de> wrote:

Now a really stupid question: Why do you need a local telnet server?
Isn't xterm, and if needed, su, enough?

Absoutely reasonable to ask. The client side of the communication
does not have xterm or su.
https://en.wikibooks.org/wiki/Oberon/A2

A2 has a secure shell but I tend to use the Oberon subsystem.
Oberon has an old ssh client. Needs major work for compatibility
with the current environment.

It looks like you’re asking some kind of Oberon-based environment to run telnet localhost, in a window or something like that? Seems like a
complicated way to get a shell, can’t the Oberon environment run it
directly?
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

In article <wwvbju31fzt.fsf@LkoBDZeT.terraraq.uk>,
Richard Kettlewell <invalid@invalid.invalid> wrote:

... can�ęt the Oberon environment run it directly?

Two entities communicate directly. One is the telnet daemon on the
linux host. The other is the telnet client in the Oberon subsystem.

Demonstating in your system is a small execise. Install LinuxA2 and
try it. https://en.wikibooks.org/wiki/Oberon/A2

If you see a way to make the link more direct, please let me know or
edit the wiki.

Thanks, ... P.

--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

peter@easthope.ca writes:

Richard Kettlewell <invalid@invalid.invalid> wrote:

... can’t the Oberon environment run it directly?

Two entities communicate directly. One is the telnet daemon on the
linux host. The other is the telnet client in the Oberon subsystem.

My point is that the use of telnet is completely redundant here
(assuming I’ve guessed the goal correctly). Contrast with any terminal emulator (for example, xterm), which runs the shell (or other command) directly.

Demonstating in your system is a small execise. Install LinuxA2 and
try it. https://en.wikibooks.org/wiki/Oberon/A2

I’m not really interested in doing that.

If you see a way to make the link more direct, please let me know or
edit the wiki.

The functions in https://man7.org/linux/man-pages/man3/openpty.3.html
should be sufficient, if your Oberon environment can call them.
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

On 2025-03-13, Marco Moock <mm@dorfdsl.de> wrote:

On 13.03.2025 08:28 Uhr peter@easthope.ca wrote:

Correction: I should have asked, is "telnet localhost" less secure
than "xterm"?

Completely different stuff. xterm just opens a terminal emulator on
your system. telnet connects to a telnet server, usually a remote
system.

And connects with everything sent in the clear. Use ssh instead.
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

Richard & all,

In article <wwvr030d4ab.fsf@LkoBDZeT.terraraq.uk>,
Richard Kettlewell <invalid@invalid.invalid> wrote:

They do different things, so it�ęs not clear why you�ęd compare them.

Screenshots are at https://easthope.ca/XtermVersusTelnet.png .
I recognize that the window frames and fonts differ. Window contents
are similar and functionalities for a user are similar.

A telnetd without a password will allow lateral movement from other
UIDs.

A password is required to log in to the system and I am the only
person with accounts. The root account and a user account. Please
outline how lateralization can happen.

Thanks, ... P.

--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

peter@easthope.ca writes:

Richard Kettlewell <invalid@invalid.invalid> wrote:

They do different things, so it’s not clear why you’d compare them.

Screenshots are at https://easthope.ca/XtermVersusTelnet.png .
I recognize that the window frames and fonts differ. Window contents
are similar and functionalities for a user are similar.

You’re comparing xterm with the Oberon environment creating a window and connect it to the input and output of ‘telnet localhost’; not quite what you originally askled about.

A telnetd without a password will allow lateral movement from other
UIDs.

A password is required to log in to the system

In the configuration described at https://en.wikibooks.org/wiki/Oberon/ETH_Oberon, no password is required
to log in via telnet. A completely insecure configuration and
irresponsible of whoever wrote that page to recommend it, IMO.

What Oberon _should_ be doing here is creating a psuedoterminal and
running the shell inside it (which is what xterm does internally).

and I am the only person with accounts. The root account and a user
account. Please outline how lateralization can happen.

In this case by lateral movement I mean an attacker who has compromised
one UID escalating privilege to another UID. In this case, it’s as
simple as “telnet localhost”.
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

In article <wwvwmcf8rt5.fsf@LkoBDZeT.terraraq.uk>, Richard Kettlewell <invalid@invalid.invalid> wrote:

In this case by lateral movement I mean an attacker who has
compromised one UID escalating privilege to another UID. In this
case, it�ęs as simple as �Ĝtelnet localhost�ĝ.

OK, thanks, ... P.

--- Synchronet 3.20c-Linux NewsLink 1.2

From Newsgroup: comp.security.misc

On 2025-03-23, peter@easthope.ca <peter@easthope.ca> wrote:

Richard & all,

In article <wwvr030d4ab.fsf@LkoBDZeT.terraraq.uk>,
Richard Kettlewell <invalid@invalid.invalid> wrote:

They do different things, so itâęs not clear why youâęd compare them.

Screenshots are at https://easthope.ca/XtermVersusTelnet.png .
I recognize that the window frames and fonts differ. Window contents
are similar and functionalities for a user are similar.

A telnetd without a password will allow lateral movement from other
UIDs.

A password is required to log in to the system and I am the only
person with accounts. The root account and a user account. Please
outline how lateralization can happen.

cat /etc/passwd
Every line is yet another uid.
You probably have about 100 of them.

Thanks, ... P.

--- Synchronet 3.20c-Linux NewsLink 1.2