Solved

Telnet Login Fails

Posted on 2002-07-25
16
4,394 Views
Last Modified: 2007-11-27
I have a RedHat 6.1 server for an Intranet that my predessessor put up, works fine.  It is remotely located from me, as Administrator, in our building and I need to update our Thwate certificate.  When I try to use Telnet I connect correctly and get the correct response, but when I try to login I get an error stating I have the incorrect name or password.  I am using the same name and password as when I login locally and yes, I am using the correct capitalization, as required.  Why can I log in on this server locally but not telneting from a remote workstation.  Flat network, same segment.

daveM
0
Comment
Question by:d50041
  • 5
  • 4
  • 4
  • +3
16 Comments
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
could you please post the exact error message
0
 
LVL 5

Expert Comment

by:vsamtani
Comment Utility
Are you trying to log in as root?

Root login over telnet is usually disabled because it's such a security risk. If you want to allow it, look for a file /etc/securetty. This lists the consoles from which root is allowed to log in, and usually it just lists the local consoles (tty1..n). To allow root logins over telnet, you can rename this file to (for example) /etc/securetty.disabled. Remember to rename it back afterwards.

Vijay

0
 
LVL 6

Author Comment

by:d50041
Comment Utility
vsamtani

I think you are on to the cause but there is no such file as securetty in the /etc folder. There is a /etc/security folder.  Can you repost what file this info is located in??
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
the exact error message would be graet.
So we can avoid barking up the wrong tree ...
0
 
LVL 6

Author Comment

by:d50041
Comment Utility
There is no error message, after I type Telnet xxx.xxx.xxx.xxx I get the proper response from the RedHat server and the Login prompt, then, after entering the user name, I get the password prompt.  After entering the password the server response is "Login Incorrect".  I am using exactly the same login as when I at at the server console.  And I am not using any uppper case characters.
0
 
LVL 5

Expert Comment

by:vsamtani
Comment Utility
We really need to see the output in /var/log/messages and /var/log/secure at the time that you try and fail to log in.

Are you trying to log in as root?

Vijay
0
 
LVL 5

Expert Comment

by:vsamtani
Comment Utility
We really need to see the output in /var/log/messages and /var/log/secure at the time that you try and fail to log in.

Are you trying to log in as root?

Vijay
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> "Login Incorrect".
.. is an error message :)

is it an ordinary user or root to log in?
Did you check /etc/hosts.{allow,deny} ?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 6

Author Comment

by:d50041
Comment Utility
Here are the "messages"

/etc/hosts:

# /etc/hosts for intranet.mesadev.org

# for loopbacking
127.0.0.1     localhost.localdomain     localhost

# This machine

# Other hosts on the network
192.168.151.11     database.mesadev.org     database
192.168.151.2     intranet.mesadev.org      intranet
192.168.151.8     mds.acsol.net
192.168.151.51  sys157.mesadev.org

/var/log/messages:


Jul 30 10:09:05 intranet PAM_pwdb[1940]: authentication failure; (uid=0) -> root for login service
Jul 30 10:09:06 intranet login[1940]: FAILED LOGIN 1 FROM sys157.mesadev.org FOR root, Authentication failure
Jul 30 10:09:57 intranet inetd[402]: pid 1939: exit status 1

/var/log/secure:

Jul 30 10:08:56 intranet in.telnetd[1939]: connect from 192.168.151.51
0
 
LVL 5

Expert Comment

by:vsamtani
Comment Utility
Hmm - trying to remember how RH6.1 dealt with this. Have a look to see if you have one or both of

/etc/hosts.allow
/etc/hosts.deny

If you do, then rename them both so that they won't be read. (This again makes your system less secure, so you should also read the man pages for these files so that you can assess the implications of removing them).

Vijay
0
 
LVL 6

Author Comment

by:d50041
Comment Utility
The server has both files in that directory.  There are no stations listed in the allow file, the deny file has a line that reads:

ALL:192.168.151.51

that's my station, however I cannot telnet from any station.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
Comment Utility
> .. the deny file has a line that reads: ALL:192.168.151.51

That's the reason why you cannot login.
Set this according your policies, or remove it. Then restart inetd.
0
 

Expert Comment

by:housetier
Comment Utility
you alos could log in with a normal user account and then "su -" to root...

---Lasse
0
 
LVL 1

Expert Comment

by:dkloes
Comment Utility
vsamtani is correct that telnet login as root is prohibited as a security measure.  housetier has the appropriate solution to how you should access the root account.  To verify, try logging in as another user account - it will probably work.  If not, that will tell us that you have other problems.  The allow file is read first and should have the IP or network addresses of those you want to allow.  The deny file should have ALL others.
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
The /etc/hosts.deny entry is perhaps troublesome, but probably not the reason telnet fails for root (if it was, no telnet session could be "connected" at all).

I have a last surviving RH6.1 box, so I don't have to guess.
Let's look at why it doesn't work.

The authentication "mode" for telnet sessions is controlled by -a option to to "in.telnetd". The default (no -a option) is off - which in turn means that all user authentication (in the clear) will be defered to the login program. You can check what "mode" has been chosen on your system with, by looking at the telnet line in /etc/inetd.conf (since inetd is very likely to have been used to start telnet services).
In any event the login program gets spawned, which on RH6.1 use PAM (Pluggable Authentication Modules).
Exactly what modules are "stacked" on your system can be found in /etc/pam.d/login, the lines starting with "auth" are the relevant ones.
On a plain vanilla RH6.1, these would be pam_securetty.so, pam_pwdb.so and pam_nologin.so.
login will check (through the pam_securetty.so module) for the existance of the file /etc/securetty (if there is one, check that the terminal device is mentioned (without the /dev/ part), or deny root access. If the file doesn't exist, log that and then allow root access), and the existance of the /etc/usertty file which (through an arcane syntax) can allow/deny any user based on a tight set of criterions.

Now, I've checked that this actually work as stated on my machine, and I've come to some conclusions:

The log entries you've reported look slightly "wrong" for a "plain vanilla RH6.1", so either it isn't RH6.1, or it has been updated with a more recent PAM. This could slightly alter log entries, default settings and behaviour.

You might have misstyped when checking for /etc/securetty (you should have a log entry otherwise mentioning that it wasn't found).

You might have a /etc/usertty file that is the culprit denying the remote root-logon.

You have already recieved advice as to a good workaround (plain user -> su), so I'll just belabour this point: telnet _is_ insecure. You shouldn't use it if you can help it, and if you have to use it, please see to it that it is in a controlled network environment.
In a perfect world, telnet would be as obsoleted as the horrid 'r'-commands.

The information above was readily available in the man-pages on the system:
man in.telnetd login

-- Glenn
0
 
LVL 6

Author Comment

by:d50041
Comment Utility
Lots of useful feedback and comments.  Thanks to all

daveM
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now