Richard & all,

In article <wwvr030d4ab.fsf@LkoBDZeT.terraraq.uk>,
Richard Kettlewell <invalid@invalid.invalid> wrote:

They do different things, so itΓ─Ös not clear why youΓ─Öd compare them.

Screenshots are at https://easthope.ca/XtermVersusTelnet.png .
I recognize that the window frames and fonts differ. Window contents
are similar and functionalities for a user are similar.

A telnetd without a password will allow lateral movement from other
UIDs.

A password is required to log in to the system and I am the only
person with accounts. The root account and a user account. Please
outline how lateralization can happen.

Thanks, ... P.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

peter@easthope.ca writes:

Richard Kettlewell <invalid@invalid.invalid> wrote:

They do different things, so it’s not clear why you’d compare them.

Screenshots are at https://easthope.ca/XtermVersusTelnet.png .
I recognize that the window frames and fonts differ. Window contents
are similar and functionalities for a user are similar.

You’re comparing xterm with the Oberon environment creating a window and connect it to the input and output of ‘telnet localhost’; not quite what you originally askled about.

A telnetd without a password will allow lateral movement from other
UIDs.

A password is required to log in to the system

In the configuration described at https://en.wikibooks.org/wiki/Oberon/ETH_Oberon, no password is required
to log in via telnet. A completely insecure configuration and
irresponsible of whoever wrote that page to recommend it, IMO.

What Oberon _should_ be doing here is creating a psuedoterminal and
running the shell inside it (which is what xterm does internally).

and I am the only person with accounts. The root account and a user
account. Please outline how lateralization can happen.

In this case by lateral movement I mean an attacker who has compromised
one UID escalating privilege to another UID. In this case, it’s as
simple as “telnet localhost”.

--
https://www.greenend.org.uk/rjk/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <wwvwmcf8rt5.fsf@LkoBDZeT.terraraq.uk>, Richard Kettlewell <invalid@invalid.invalid> wrote:

In this case by lateral movement I mean an attacker who has
compromised one UID escalating privilege to another UID. In this
case, itΓ─Ös as simple as Γ─£telnet localhostΓ─¥.

OK, thanks, ... P.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-03-23, peter@easthope.ca <peter@easthope.ca> wrote:

Richard & all,

In article <wwvr030d4ab.fsf@LkoBDZeT.terraraq.uk>,
Richard Kettlewell <invalid@invalid.invalid> wrote:

They do different things, so itâęs not clear why youâęd compare them.

Screenshots are at https://easthope.ca/XtermVersusTelnet.png .
I recognize that the window frames and fonts differ. Window contents
are similar and functionalities for a user are similar.

A telnetd without a password will allow lateral movement from other
UIDs.

A password is required to log in to the system and I am the only
person with accounts. The root account and a user account. Please
outline how lateralization can happen.

cat /etc/passwd
Every line is yet another uid.
You probably have about 100 of them.

Thanks, ... P.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

In a Linux X Window System, is "telnet localhost" less secure than
"xterm localhost"? If so, why?

Thx, ... P.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12.03.2025 06:41 Uhr peter@easthope.ca wrote:

In a Linux X Window System, is "telnet localhost" less secure than
"xterm localhost"? If so, why?

It gives me
m@ryz:~$ xterm localhost
xterm: No absolute path found for shell: localhost

Is that what you ran?

What should it do?

telnet offers you to login if a telnet server is running. As long this connection is only inside your system, this is secure. If it is going
outside, you need to have an underlaying protocol (IPsec or a VPN
tunnel) to avoid eavesdropping, as normal telnet is not encrypted.

--
kind regards
Marco

Send spam to 1741758067muell@stinkedores.dorfdsl.de

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Marco Moock <mm@dorfdsl.de> writes:

On 12.03.2025 06:41 Uhr peter@easthope.ca wrote:

In a Linux X Window System, is "telnet localhost" less secure than
"xterm localhost"? If so, why?

It gives me
m@ryz:~$ xterm localhost
xterm: No absolute path found for shell: localhost

Is that what you ran?

What should it do?

That’s the expected behavior. It tries to run ‘localhost’ as a shell and of course, it doesn’t exist.

--
https://www.greenend.org.uk/rjk/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2025-03-13, Marco Moock <mm@dorfdsl.de> wrote:

On 13.03.2025 08:28 Uhr peter@easthope.ca wrote:

Correction: I should have asked, is "telnet localhost" less secure
than "xterm"?

Completely different stuff. xterm just opens a terminal emulator on
your system. telnet connects to a telnet server, usually a remote
system.

And connects with everything sent in the clear. Use ssh instead.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Marco, Richard & all,

In article <20250312170838.7d5b1e1c@ryz.dorfdsl.de>, Marco Moock <mm@dorfdsl.de> wrote:

It gives me
m@ryz:~$ xterm localhost
xterm: No absolute path found for shell: localhost

Is that what you ran?

Correction: I should have asked, is "telnet localhost" less secure
than "xterm"?

telnet offers you to login if a telnet server is running.

In Debian,
# grep ^telnet /etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd -E /bin/bash

Nobody other than me has an account on the system. I authenticate
after the system boots or when returning after logout. Neither "telnet localhost" nor "xterm" asks for a password.

As long this connection is only inside your system, this is
secure. If it is going outside, you need to have an underlaying
protocol (IPsec or a VPN tunnel) to avoid eavesdropping, as normal
telnet is not encrypted.

Shorewall is configured to prevent a telnet connection from outside
localhost.

So my configuration is unusual but not particularly hazardous?

Thanks, ... P.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 13.03.2025 08:28 Uhr peter@easthope.ca wrote:

Marco, Richard & all,

In article <20250312170838.7d5b1e1c@ryz.dorfdsl.de>, Marco Moock <mm@dorfdsl.de> wrote:

It gives me
m@ryz:~$ xterm localhost
xterm: No absolute path found for shell: localhost

Is that what you ran?

Correction: I should have asked, is "telnet localhost" less secure
than "xterm"?

Completely different stuff. xterm just opens a terminal emulator on
your system. telnet connects to a telnet server, usually a remote
system.

telnet offers you to login if a telnet server is running.

In Debian,
# grep ^telnet /etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd -E
/bin/bash

Nobody other than me has an account on the system. I authenticate
after the system boots or when returning after logout. Neither
"telnet localhost" nor "xterm" asks for a password.

If telnet doesn't ask for a password, this is a security problem if
other people (locally or remote) can access the telnet server.

As long this connection is only inside your system, this is
secure. If it is going outside, you need to have an underlaying
protocol (IPsec or a VPN tunnel) to avoid eavesdropping, as normal
telnet is not encrypted.

Shorewall is configured to prevent a telnet connection from outside localhost.

So my configuration is unusual but not particularly hazardous?

As long as it stays so, it is. But when other people can access it,
they can take over control of your system.

Now a really stupid question: Why do you need a local telnet server?
Isn't xterm, and if needed, su, enough?

--
kind regards
Marco

Send spam to 1741850935muell@stinkedores.dorfdsl.de

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

peter@easthope.ca writes:

Marco Moock <mm@dorfdsl.de> wrote:

It gives me
m@ryz:~$ xterm localhost
xterm: No absolute path found for shell: localhost

Is that what you ran?

Correction: I should have asked, is "telnet localhost" less secure
than "xterm"?

They do different things, so it’s not clear why you’d compare them.

telnet offers you to login if a telnet server is running.

In Debian,
# grep ^telnet /etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd -E /bin/bash

Nobody other than me has an account on the system. I authenticate
after the system boots or when returning after logout. Neither "telnet localhost" nor "xterm" asks for a password.

A telnetd without a password will allow lateral movement from other
UIDs.

-
https://www.greenend.org.uk/rjk/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 3/12/25 8:41 AM, peter@easthope.ca wrote:

In a Linux X Window System, is "telnet localhost" less secure than
"xterm localhost"? If so, why?

It's difficult to say, there isn't enough information to actually answer
the question. See below for more context.



On 3/13/25 2:10 PM, Marco Moock wrote:

Completely different stuff. xterm just opens a terminal emulator on
your system. telnet connects to a telnet server, usually a remote
system.

On one hand I agree that telnet and XTerm are different things. But on
the other hand, I disagree.

Both commands are used to open a shell on a system.

Telnet is usually a remote system but can be the local system.

Xterm is usually the local system, but can very easily be used across
the network.

So in some ways, both telnet and XTerm open a shell on the local and /
or remote system.

Also, both are traditionally unencrypted protocols. There are some TLS encrypted telnet servers and clients. Admittedly they are usually
relegated to the the mainframe space.

I think one of the biggest hangups for me is where and how are `telnet localhost` and `xterm` being run? Is `telnet localhost` being run from
a shell? If so, what is displaying that shell? A terminal emulator;
e.g. XTerm? Or possibly a (virtual) console (no X11)? Or maybe even a physical console on a serial port?

I suppose there are also GUI telnet clients that are also their own
terminal emulator.

If telnet doesn't ask for a password, this is a security problem if
other people (locally or remote) can access the telnet server.

Maybe. Maybe not. Kerberized telnet clients have existed for quite a
while. Just because something doesn't ask for a password doesn't mean
that it's not authenticated.

As long as it stays so, it is. But when other people can access it,
they can take over control of your system.

I think it's important to understand what is providing the security (authentication <-> privacy) and how various things influence / impact that.

Now a really stupid question: Why do you need a local telnet server?
Isn't xterm, and if needed, su, enough?

I think that it's a fair question. I think it's orthogonal to the OP's original question. But you did ask it after providing good responses to
the OP's question.



--
Grant. . . .

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <20250313201054.0371059b@ryz.dorfdsl.de>,
Marco Moock <mm@dorfdsl.de> wrote:

Now a really stupid question: Why do you need a local telnet server?
Isn't xterm, and if needed, su, enough?

Absoutely reasonable to ask. The client side of the communication
does not have xterm or su.
https://en.wikibooks.org/wiki/Oberon/A2

A2 has a secure shell but I tend to use the Oberon subsystem.
Oberon has an old ssh client. Needs major work for compatibility
with the current environment.

From: Richard Kettlewell <invalid@invalid.invalid>
Date: Thu, 13 Mar 2025 21:11:40 +0000

A telnetd without a password will allow lateral movement from other
UIDs.

I am the only user of the system and it has shorewall and I give a
password to log in. As I understand, laterality isn't possible.

As a system becomes more complex, there is more scope for vulnerability.
Eg. https://en.wikipedia.org/wiki/XZ_Utils_backdoor

The reply of Prof. Wirth to the question at 49:40 is pertinent.
"No side doors and no backdoors."
https://www.youtube.com/watch?v=EXY78gPMvl0

Regards, ... P.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

peter@easthope.ca writes:

Marco Moock <mm@dorfdsl.de> wrote:

Now a really stupid question: Why do you need a local telnet server?
Isn't xterm, and if needed, su, enough?

Absoutely reasonable to ask. The client side of the communication
does not have xterm or su.
https://en.wikibooks.org/wiki/Oberon/A2

A2 has a secure shell but I tend to use the Oberon subsystem.
Oberon has an old ssh client. Needs major work for compatibility
with the current environment.

It looks like you’re asking some kind of Oberon-based environment to run telnet localhost, in a window or something like that? Seems like a
complicated way to get a shell, can’t the Oberon environment run it
directly?

--
https://www.greenend.org.uk/rjk/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)