Telnet password different than webinterface password

[Fritsy]

Hi,

Is it possible to change the telnet password but not the webinterface password?
I want to grant access for others to the webinterface but NOT to telnet.

It is off course possible to deactivate telnet but it's very easy to activate again so that won't do.

If the password change isn't possible then is it possible to change/deactivate the telnet activation code (#96*7*).

Thanks a lot in advance!

 

[Joe_57]

Hi Fritsy,

I want to grant access for others to the webinterface...

That makes absulutly no sense.
So everyone has the possibility to reconfiger YOUR Box, including password changing.

Why do You want to have an open web interface? :noidea:

Joe

 

[Fritsy]

The webinterface is only locally accessible. So all the others are people on the local network.
Also i don't want the webinterface to be open because there is a password configured for both the webinterface and telnet. All i want is to make them different or disable telnet completely.

 

[Joe_57]

So:

What type of box?
What firmware / annex is installed currently?

And again:
Why shold the web interface be open locally????

Joe

 

[Fritsy]

Ow, FB 7170 Annex A, firmware 58.04.57.
I want the webinterface "open" (password protected) locally so users can edit portforwards etc. and view the calllist.
I will use a custom webinterface (via http://trac.freetz.org/wiki/help/howtos/development/repack_fw) to prevent local users form editing passwords etc.
I don't want them to access telnet because then all the modifications to the webinterface have no use. So i want a different telnet password or no telnet at all.
Hope this makes it clearer.

 

[Fritsy]

Is it perhaps possible to block access to port 23 for local/all traffic with the firewallsettings?

 

[RalfFriedl]

You can replace the password verification program, or, if you want to use (parts of) Freetz anyway, Freetz uses the password from /etc/shadow, which is independant of the web password.

 

[Fritsy]

You can replace the password verification program, or, if you want to use (parts of) Freetz anyway, Freetz uses the password from /etc/shadow, which is independant of the web password.

Thanks for your reply.
Yes i am now using Freetz to unpack the firmware, edit the html files and pack the firmware again.
If i load my current firmware (generated by Freetz) into the FB then the password of the webinterface is equal to the password of telnet.
If i change the password (via System->FRITZ!Box Password) then that new password is also the telnet password.
So can you explain what the 'shadow'' file does exactly? How does it make the webinterface password independent of the telnet password?

Here is my shadow file:

root:*:12332:0:99999:7:::

 

[RalfFriedl]

The AVM Firmware uses the option -l for telnetd to call /sbin/ar7login after connect:

        -l LOGIN        Exec LOGIN on connect

This program can be used to verify the login password. /sbin/ar7login uses the password from the web interface.

Freetz replaces this with login (/bin/login), which must be present in the busybox. (Actually /sbin/ar7login is replaced with a script that calls login).
The password can be changed with the passwd command (which should also be configured in the busybox).
The passwd command replaces the '*' in /etc/shadow with an encrypted version of the password.

You can also use your own script to verify a password.

 

[Fritsy]

These solutions seem very difficult. Is it possible to block Telnet access to the FritzBox with a simple firewall rule?
Something like; reject tcp any host 192.168.178.1 eq 23?

 

[Fritsy]

Does anyone know if there is a simple solution to block telnet access to the fritzbox but keep the webinterface accessible?

 

[RalfFriedl]

As I already wrote: remove /sbin/ar7login or replace it with /bin/false or something like that.