Credential free, anonymous system access

I suspect that in this day and age where very few services are made available via telnet and SSH that this document is of limited use. However I need the notes and it may help out someone else. Anonymous access to services these days isn’t that common, and the traditional approach has always been to use a published username and password. I’ve never been that keen on such an approach as it means the account has to have a valid password and thus be locked out of every other service on the machine, also it means that you present a slightly greater window for people to try to send you malicious data. Because of this I rather prefer to just not ask for credentials on public services. So if you want to allow people to connect to a system via SSH or telnet (Yes I know telnet isn’t secure and SSH is better but there are still reasons why it may be used), but don’t want them to have to enter account credentials or for that account to be usable even by accident for anything else here’s how I did it.

SSH

SSH it turns out is really easy to turn configure to not need any authentication at all, provided you can run a specific instance of SSH for your public service that won’t be used for anything else.

First copy your sshd_config to a new file say: sshd-insecure_config. Then make sure the following items are configured:

  • ListenAddress – You probably only want it listening on the specific IP associated with the public service you are running. Use a separate IP or port for management access.
  • PermitEmptyPasswords yes – This is needed so that you can have the local user account locked and users not be prompted to authenticate.
  • AllowUsers – Set this to whatever users are required for your public access services.
  • UsePAM yes – This is vital as PAM lets us allow our user to login without needing a real password.

The rest of the configuration should be edited to disallow pretty much everything else, especially tunnels, X11 forwarding, anything except password authentication. You almost certainly also want to configure the user to be put into a chroot jail.

Once you have the new SSHD configuration file sorted out, make a copy of your sshd binary, copy it to whatever you like probably something like sshd-insecure. Now in /etc/pam.d (assuming a Ubuntu system) copy the sshd pam configuration file to a new file matching the name of your new copy of the sshd binary.
e.g./etc/pam.d/sshd-inscure
You now need to make just two more changes:

  • Comment out the line:
    @include common-auth
  • In it’s place add the line:
    auth sufficient pam_permit.so

As the man pages say pam_permit is really insecure and just permits everything. So this is probably a really stupid thing to do even if you know what you’re doing.

All that’s left to do now is start your new insecure and very dodgy sshd. This will be done with a command like:
/usr/sbin/sshd-insecure -f sshd-insecure_config
SSH to your new insecure server specifying your special insecure user and once you’ve accepted the server keys you should be logged in with no request for any credentials at all.

N.B. Make sure no other users can log in otherwise you’ll have problems.

Telnetd

If you thought that configuring SSH to behave in such an insecure fashion was foolhardy, well this should worry you even more. For public services such as BBSes, MUds and other shell based services telnet is still a useful mechanism for allowing access, there’s a lot of legacy stuff out there. Over the years I’ve tried all sorts of clever ways of allowing people to telnet into systems in as secure a way as possible. I’ve compiled custom telnetd ‘s, I’ve looked at telnetd alternatives and I’ve tried to be frightfully clever with PAM. Ultimately though the easiest way is the easiest. If you’re running a comparatively modern telnetd then you can specify an alternative login program. This allows you to call a simple wrapper script that invokes login with a few arguments.

So by way of example you might configure inetd to run telnetd something like this:
telnetd -L /usr/local/sbin/insecure-login
The file /usr/local/sbin/insecure-login can then be something as simple as a short shell script which calls the real login with a couple or arguments telling it to just log the user in without asking for any credentials.
e.g.#!/bin/ksh
/bin/login -f anonymous

Restart your inetd and anything that attempts to connect via telnet will be logged in as “anonymous“, no questions asked. As with the SSH example you almost certainly want any user logged in via this method to be put straight into a chroot jail.

So there you go how to allow anonymous access to your systems using locked accounts and without needing to publish anything except the service address (and for SSH the user name). Obviously there’s precious little call for this sort of thing these days, and few good reasons to do it. It’s also probably a very bad idea to do this, may break the terms of service of your provider and will probably get your server hacked – but don’t let that stop you. If you do do something as foolhardy as set up a service like this you might want to consider apparmor as well as chroot.

Bookmark the permalink.

Leave a Reply