Credential free, anonymous system access
I suspect that in this day and age where very few services are made available via telnet and SSH that this document is of limited use. However I need the notes and it may help out someone else. Anonymousd access to services these days isn't that common, and the traditinal approach has always been to use a published username and password. I've never been that keen on such an approach as it means the account has to have a valid password and thus be locked out of every other service on the machine, also it means that you present a slightly greater window for people to try to send you malicious data. Because of this I rather prefer to just not ask for credentials on public services. So if you want to allow people to conenct to a system via SSH or telnet (Yes I know telnet isn't secure and SSH is better but there are still reasons why it may be used), but don't want them to have to enter accoutn credentials or for that account to be usable even by accident for anything else here's how I did it.
SSH it turns out is really easy to turn configure to not need any authentication at all, provided you can run a specific instance of SSH for your public service that won't be used for anything else.
First copy your
to a new file say:
. Then make sure the following items are configured:
ListenAddress- You probably only want it listening on the specific IP associated with the public service you are running. Use a seperate IP or port for management access.
PermitEmptyPasswords yes- This is needed so that you can have the local user account locked and users not be prompted to authenticate.
AllowUsers- Set this to whatever users are reuried for your public access services.
UsePAM yes- This is vital as PAM lets us allow our user to login without needing a real password.
The rest of the configuration should be edited to dislalow pretty much everything else, especially tunnels, X11 forwarding, anything except password authentication. You almost certainly also want to configure the user to be put into a chroot jail.
Once you have the new SSHD configuration file sorted out, make
a copy of your
binary, copy it to whatever you like
probabyl something like
. Now in
(assuming a Ubuntu system) copy the
pam configuration file to a new file matching the name of your
new copy of the
You know need to make just two changes
Comment out the line:
In it's place add the line:
auth sufficient pam_permit.so
As the man pages say
is really insecure
and just permits everything. So this is probably a really stupid
thing to do even if you know what you're doing.
All that's left to do now is start your new insecure and very
. This will be done with a command like:
/usr/sbin/sshd-insecure -f sshd-insecure_config
SSH to your new insecure server specifcyig your special insecure user and once you've accepted the server keys you should be logged in with no request for any credentials at all.
N.B. Make sure no other users can log in otherwise you'll have problems.
If you thought that configuring SSH to behave in such an insecure
fashion was foolhardy, well this should worry you even more. For
public services such as BBSes, MUds and other shell based services
telnet is still a useful mechanism for allowing access, there's a lot
of legacy stuff out there. Over the years I've tried all sorts of clever
ways of allowing people to telnet into systems in as secure a way
as possible. I've compiled custom
alternatives and I've tried to be
frightfully clever with PAM. Ultimately though the easiest way
is the easiest. If you're running a comparitvely modern
then you can specify an alternative
This allows you to call a simple wrapper script that invokes
with a few arguments.
So by way of example you might configure
something like this:
telnetd -L /usr/local/sbin/insecure-login
be something as simple as a short shell script which calls the
with a couple or arguments telling it
to just log the user in without asking for any credentials.
/bin/login -f anonymous
and anything that attempts to
will be logged in as
", no questions asked. As with the
example you almost certainly want any user
logged in via this method to be put straight into a
So there you go how to allow anonymous access to your systems
using locked accounts and withotu needing to publish anything except the
service address (and for SSH the user name). Obviously there's
precious little call for this sort of thing these days, and few good reasons
to do it. It's also probably a very bad idea to do this, may
break the terms of service of your provider and will probably get your
server hacked - but don't let that stop you. If you do do
something as foolhardy as set up a service like this you might
want to consider
as well as