[wip] telnetd: init module #40160
[wip] telnetd: init module #40160
Conversation
|
Success on x86_64-linux (full log) Attempted: telnet Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: telnet Partial log (click to expand)
|
| networking.firewall.allowedUDPPorts = [ cfg.port ]; | ||
|
|
||
| users.extraUsers.telnetd.uid = config.ids.uids.telnetd; | ||
| users.extraGroups.telnetd.gid = config.ids.gids.telnetd; |
There was a problem hiding this comment.
Why does telnet need static id?
There was a problem hiding this comment.
It doesn't I guess. I copied other modules but why do other services need a static id either ?
There was a problem hiding this comment.
They need static uids to avoid having to adjust the owner of large amount of files on service startup.
There was a problem hiding this comment.
Yes, but does telnet create any files of its own?
|
|
||
| config = mkIf config.services.telnet.enable { | ||
|
|
||
| networking.firewall.allowedUDPPorts = [ cfg.port ]; |
There was a problem hiding this comment.
Firewall ports should not be opened by default. Please add a dedicated option for that: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix#L140
There was a problem hiding this comment.
it should ! still remember the nagle lesson with telnet thanks
There was a problem hiding this comment.
The option on the link you mention defaults to true so it doesn't add much security :s
There was a problem hiding this comment.
yes. ssh is the only service where we make it true by default. All other services defaults to false.
There was a problem hiding this comment.
This is a convention we have for nixos and exception might surprise users.
| }; | ||
|
|
||
| port = mkOption { | ||
| default = 12345; |
| default = false; | ||
| type = types.bool; | ||
| description = '' | ||
| Enable telnetd. |
There was a problem hiding this comment.
I am not sure if we should put a warning here since due missing encryption telnet should be only used in trusted networks. Also your mininet example might be about man-in-the-middle attacks on telnet.
|
It doesn't seem to bind though I gave the module |
nixos/modules/misc/ids.nix
Outdated
| @@ -307,6 +307,7 @@ | |||
| duplicati = 289; | |||
| monetdb = 290; | |||
| restic = 291; | |||
| telnetd = 292; | |||
|
@GrahamcOfBorg eval |
|
Success on aarch64-linux (full log) Attempted: telnet Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: telnet Partial log (click to expand)
|
|
for some reason telnetd can't bind even though it has the capability and though I set |
|
Success on aarch64-linux (full log) Attempted: telnet Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: telnet Partial log (click to expand)
|
|
The problem was that telnetd was forking: Either use Type=forking or pass the -F flag to telnetd: diff --git a/nixos/modules/services/web-servers/telnet.nix b/nixos/modules/services/web-servers/telnet.nix
index ce21c480794..7fc527e42c9 100644
--- a/nixos/modules/services/web-servers/telnet.nix
+++ b/nixos/modules/services/web-servers/telnet.nix
@@ -4,11 +4,7 @@ with lib;
let
cfg = config.services.telnet;
-
- user = "telnetd";
-in
-{
-
+in {
options.services.telnet = {
enable = mkOption {
@@ -42,34 +38,24 @@ in
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
users.extraUsers = singleton {
- name = user;
+ name = "telnetd";
group = "telnetd";
description = "Telnet daemon";
};
- # users.extraGroups = singleton {
- # name = "telnetd";
- # };
+ users.extraGroups = singleton {
+ name = "telnetd";
+ };
systemd.services.telnetd = {
description = "Telnet server";
wantedBy = [ "multi-user.target" ];
- # binds by default to ipv6 ?
- # script = "${pkgs.busybox}/bin/telnetd -p ${toString cfg.port} -b 127.0.0.1";
-
serviceConfig = {
- # defaults to ipv6 otherwise ?
- ExecStart="${pkgs.busybox}/bin/telnetd -p ${toString cfg.port} -b 127.0.0.1";
- User = user;
+ ExecStart="${pkgs.busybox}/bin/telnetd -p ${toString cfg.port} -F";
+ User = "telnetd";
Group = "telnetd";
- AmbientCapabilities="CAP_NET_BIND_SERVICE";
- CapabilityBoundingSet = "CAP_NET_BIND_SERVICE=+eip";
- # RuntimeDirectory = [ "telnetd" ];
- Restart = "always";
- RestartSec = "500ms";
- # StartLimitInterval = 86400;
- StartLimitBurst = 5;
+ AmbientCapabilities = "cap_net_bind_service";
};
};
};However I still cannot login. |
|
Success on aarch64-linux (full log) Attempted: telnet Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: telnet Partial log (click to expand)
|
|
I was not able to login though. It kept closing my connection without logging useful information. I am also not sure how this is supposed to work. Because the user is running as |
|
The push was just to sync my computers sry xD It appears I don't really need this immediately so I'll put it on hold. |
|
Is busybox the right place to get telnetd? Inetutils also has it. |
|
closing since it doesn't seem like a hard requirement for mininet (my initial motivation) and I can't make it work. thanks for the comments, hopefully someone will pick it up. |
Motivation for this change
I am trying to package mininet, which I believe rely on mininet.
Eitherway it doesn't hurt to have a telnet module.
It doesn't seem to work though, I can't connect to it via
telnet 127.0.0.1.journalctl -bdoesn't show any error. I wonder if that's firewall relatedThings done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)