New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[wip] telnetd: init module #40160
[wip] telnetd: init module #40160
Conversation
Success on x86_64-linux (full log) Attempted: telnet Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: telnet Partial log (click to expand)
|
networking.firewall.allowedUDPPorts = [ cfg.port ]; | ||
|
||
users.extraUsers.telnetd.uid = config.ids.uids.telnetd; | ||
users.extraGroups.telnetd.gid = config.ids.gids.telnetd; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does telnet need static id?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't I guess. I copied other modules but why do other services need a static id either ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They need static uids to avoid having to adjust the owner of large amount of files on service startup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but does telnet create any files of its own?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not that I know
|
||
config = mkIf config.services.telnet.enable { | ||
|
||
networking.firewall.allowedUDPPorts = [ cfg.port ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this not be tcp?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Firewall ports should not be opened by default. Please add a dedicated option for that: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix#L140
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should ! still remember the nagle lesson with telnet thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The option on the link you mention defaults to true so it doesn't add much security :s
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes. ssh is the only service where we make it true by default. All other services defaults to false.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a convention we have for nixos and exception might surprise users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok I fixed it
}; | ||
|
||
port = mkOption { | ||
default = 12345; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
default port for telnet is 23
.
default = false; | ||
type = types.bool; | ||
description = '' | ||
Enable telnetd. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if we should put a warning here since due missing encryption telnet should be only used in trusted networks. Also your mininet example might be about man-in-the-middle attacks on telnet.
It doesn't seem to bind though I gave the module |
nixos/modules/misc/ids.nix
Outdated
@@ -307,6 +307,7 @@ | |||
duplicati = 289; | |||
monetdb = 290; | |||
restic = 291; | |||
telnetd = 292; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not used anymore
@GrahamcOfBorg eval |
Success on aarch64-linux (full log) Attempted: telnet Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: telnet Partial log (click to expand)
|
for some reason telnetd can't bind even though it has the capability and though I set |
Success on aarch64-linux (full log) Attempted: telnet Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: telnet Partial log (click to expand)
|
The problem was that telnetd was forking: Either use Type=forking or pass the -F flag to telnetd: diff --git a/nixos/modules/services/web-servers/telnet.nix b/nixos/modules/services/web-servers/telnet.nix
index ce21c480794..7fc527e42c9 100644
--- a/nixos/modules/services/web-servers/telnet.nix
+++ b/nixos/modules/services/web-servers/telnet.nix
@@ -4,11 +4,7 @@ with lib;
let
cfg = config.services.telnet;
-
- user = "telnetd";
-in
-{
-
+in {
options.services.telnet = {
enable = mkOption {
@@ -42,34 +38,24 @@ in
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
users.extraUsers = singleton {
- name = user;
+ name = "telnetd";
group = "telnetd";
description = "Telnet daemon";
};
- # users.extraGroups = singleton {
- # name = "telnetd";
- # };
+ users.extraGroups = singleton {
+ name = "telnetd";
+ };
systemd.services.telnetd = {
description = "Telnet server";
wantedBy = [ "multi-user.target" ];
- # binds by default to ipv6 ?
- # script = "${pkgs.busybox}/bin/telnetd -p ${toString cfg.port} -b 127.0.0.1";
-
serviceConfig = {
- # defaults to ipv6 otherwise ?
- ExecStart="${pkgs.busybox}/bin/telnetd -p ${toString cfg.port} -b 127.0.0.1";
- User = user;
+ ExecStart="${pkgs.busybox}/bin/telnetd -p ${toString cfg.port} -F";
+ User = "telnetd";
Group = "telnetd";
- AmbientCapabilities="CAP_NET_BIND_SERVICE";
- CapabilityBoundingSet = "CAP_NET_BIND_SERVICE=+eip";
- # RuntimeDirectory = [ "telnetd" ];
- Restart = "always";
- RestartSec = "500ms";
- # StartLimitInterval = 86400;
- StartLimitBurst = 5;
+ AmbientCapabilities = "cap_net_bind_service";
};
};
}; However I still cannot login. |
Success on aarch64-linux (full log) Attempted: telnet Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: telnet Partial log (click to expand)
|
I was not able to login though. It kept closing my connection without logging useful information. I am also not sure how this is supposed to work. Because the user is running as |
The push was just to sync my computers sry xD It appears I don't really need this immediately so I'll put it on hold. |
Is busybox the right place to get telnetd? Inetutils also has it. |
closing since it doesn't seem like a hard requirement for mininet (my initial motivation) and I can't make it work. thanks for the comments, hopefully someone will pick it up. |
Motivation for this change
I am trying to package mininet, which I believe rely on mininet.
Eitherway it doesn't hurt to have a telnet module.
It doesn't seem to work though, I can't connect to it via
telnet 127.0.0.1
.journalctl -b
doesn't show any error. I wonder if that's firewall relatedThings done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)