Reset user's password

rvp

kc9udx Can't say w/o seeing a lot more logs or a full ktrace -di output of telnetd, but, it looks like login hasn't run for some reason (by the time the banner is printed this should've happened, actually, but, can't see any msgs. from login--unless you've got a ~/.hushlogin present).

Try this out:

root$ mv /usr/bin/login /usr/bin/login.orig

root$ cat <<\EoF
#!/bin/sh
echo "$@"
env
cat
EoF

root$ chmod 755 /usr/bin/login

Then, try telnet from where it's not working. The cat should echo back whatever you type in.

You may be able to work-around this by passing -a none or -a off to telnetd

kc9udx

rvp
1 there is no .hushlogin
2 replacing /usr/bin/login with that script did nothing different.
3 telnet stream tcp nowait root /usr/libexec/telnetd telnetd -a off has been in /etc/inetd.conf as long as I've been running NetBSD. I don't exactly recall why without digging through my notes. But I'm pretty sure it's because a certain client cannot login otherwise; I would guess MiamiDx.
4 oddly, when I try -a valid today, I get telnetd: unknown authorization level for -a on the client (NetBSD 10.0)

Also: This is starting to look NIS related again. In the past, I thought that if I telnet localhost from the server in question, I would have the same results as trying to telnet there from another NetBSD machine. But today, it works. It doesn't work right, but it works:

# telnet localhost
Trying 127.0.0.1...
Connected to localhost.domainname.
Escape character is '^]'.
Trying SRA secure login:
User (root): myself
Password:
[ SRA accepts you ]

NetBSD/amd64 (hostname.domainname) (pts/1)

login: myself
Password for myself@hostname.domainname:
Last login: Sat Mar 30 12:03:56 2024 from 192.168.0.255 on pts/0
NetBSD 10.0 (GENERIC) #0: Thu Mar 28 08:33:33 UTC 2024

Welcome to NetBSD!

$

rvp

kc9udx It doesn't work right, but it works:

That's a bug. See PR# 58787

kc9udx It isn't any NetBSD client that can't login to that server, it's only certain ones. Those certain ones are all on one branch of my LAN, which makes me very suspicious.

A /etc/login.access lying around would do that, except:

NetBSD, by default, doesn't come with a /etc/login.access
Even if you had one in place, it would not have been read with -a valid because of PR# 58790.
And, even when you start telnetd with -a off (so that it is login which does auth./access ctl.), login does read that file, but, that wouldn't matter when we've replaced login with the script, above (nothing in that shell script reads that file!).

So, I dunno what's happening here.

Can you try the patch in PR# 58787 with this sra.c, then run both the server and failing client under script with the debugging options turned on?

You don't need to compile the whole system just libtelnet and telnetd will do. Assuming tools are in /usr/tools:

root# mkdir /tmp/obj

root# cd /usr/src/lib/libtelnet
root# make TOOLDIR=/usr/tools MAKEOBJDIRPREFIX=/tmp/obj MAKEVERBOSE=1 obj
root# make TOOLDIR=/usr/tools MAKEOBJDIRPREFIX=/tmp/obj MAKEVERBOSE=1

root# cd /usr/src/libexec/telnetd
root# make TOOLDIR=/usr/tools MAKEOBJDIRPREFIX=/tmp/obj MAKEVERBOSE=1 obj
root# make TOOLDIR=/usr/tools MAKEOBJDIRPREFIX=/tmp/obj MAKEVERBOSE=1

root# mv /usr/libexec/telnetd /usr/libexec/telnetd.orig
root# install -m 555 /tmp/obj/usr/src/libexec/telnetd/telnetd /usr/libexec/telnetd

Run the server as:

script -c '/usr/libexec/telnetd -a <off|valid> -debug -edebug -D options -D report -D netdata -D ptydata' /tmp/server.txt

Run the client as:

script -c 'telnet <server>' /tmp/client.txt

Email me both /tmp/*.txt files. (Remember to change your password, or to use a temp. user because the debug output'll have that.)

EDIT: Are you passing the -U flag to telnetd? (might cause problems for clients with no valid hostnames)

kc9udx

Well this is more bizarre than I thought and getting embarrassing. It isn't any NetBSD client that can't login to that server, it's only certain ones. Those certain ones are all on one branch of my LAN, which makes me very suspicious.

kc9udx

Hopefully in a couple weeks I'll get time to play with this. ~~In the meanwhile, I'll check to see if for some reason I have /etc/login.access . I sure don't think I should, but I'll check.~~ The first thing I need to do is try a different network branch. Right now I'm going through a dd-wrt based wireless access point. Something is very fishy there.

No, I don't run telnetd with -U

I don't have /etc/login.access. But I must have a serious network configuration error somewhere. I'm not exactly sure how this is affecting telnet this way unless somewhere a port is blocked. Unfortunately I won't have time to figure that out or do anything else with this probably till the end of the month.

kc9udx

I did find out I was wrong about the networking. Where the devices in question were on the network didn't really matter. The problems were just being intermittent in a way to make it appear like a network problem.

In the meanwhile, before I had a chance to diagnose further, I ended up upgrading all machines to NetBSD-daily 202411301030. This solved all problems in question in every direction.

telnetd has obviously changed. Most notably it now doesn't prompt for a username if a username is known.

rvp

kc9udx telnetd has obviously changed. Most notably it now doesn't prompt for a username if a username is known.

Yeah, PR# 58787 has been fixed (and pulled up to 10-STABLE); PR# 58790 should go in too. Have you managed to test with that sra.c file?

kc9udx

rvp no; I stupidly forgot that termbin would expire it so I relied on it being there and it wasn't when I tried to get it.

rvp

kc9udx Refreshed the link.

kc9udx

rvp it'll be weeks again before I can try, unfortunately. Is it still worthwhile now that I've upgraded? (I already wiped out my backups, so there's no going back anymore).

rvp

kc9udx Not critical--I'll take care of it.

« Previous Page