.titleBar { margin-bottom: 5px!important; }

Telnet password different than webinterface password

Dieses Thema im Forum "FRITZ!Box Fon: Modifikationen" wurde erstellt von Fritsy, 5 Jan. 2009.

  1. Fritsy

    Fritsy Neuer User

    Registriert seit:
    3 Nov. 2008
    Beiträge:
    21
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Hi,

    Is it possible to change the telnet password but not the webinterface password?
    I want to grant access for others to the webinterface but NOT to telnet.

    It is off course possible to deactivate telnet but it's very easy to activate again so that won't do.

    If the password change isn't possible then is it possible to change/deactivate the telnet activation code (#96*7*).

    Thanks a lot in advance!
     
  2. Joe_57

    Joe_57 IPPF-Promi

    Registriert seit:
    5 März 2006
    Beiträge:
    4,853
    Zustimmungen:
    40
    Punkte für Erfolge:
    48
    Hi Fritsy,
    That makes absulutly no sense.
    So everyone has the possibility to reconfiger YOUR Box, including password changing. :mad:

    Why do You want to have an open web interface? :noidea:

    Joe
     
  3. Fritsy

    Fritsy Neuer User

    Registriert seit:
    3 Nov. 2008
    Beiträge:
    21
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    The webinterface is only locally accessible. So all the others are people on the local network.
    Also i don't want the webinterface to be open because there is a password configured for both the webinterface and telnet. All i want is to make them different or disable telnet completely.
     
  4. Joe_57

    Joe_57 IPPF-Promi

    Registriert seit:
    5 März 2006
    Beiträge:
    4,853
    Zustimmungen:
    40
    Punkte für Erfolge:
    48
    So:

    What type of box?
    What firmware / annex is installed currently?

    And again:
    Why shold the web interface be open locally????

    Joe
     
  5. Fritsy

    Fritsy Neuer User

    Registriert seit:
    3 Nov. 2008
    Beiträge:
    21
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Ow, FB 7170 Annex A, firmware 58.04.57.
    I want the webinterface "open" (password protected) locally so users can edit portforwards etc. and view the calllist.
    I will use a custom webinterface (via http://trac.freetz.org/wiki/help/howtos/development/repack_fw) to prevent local users form editing passwords etc.
    I don't want them to access telnet because then all the modifications to the webinterface have no use. So i want a different telnet password or no telnet at all.
    Hope this makes it clearer.
     
  6. Fritsy

    Fritsy Neuer User

    Registriert seit:
    3 Nov. 2008
    Beiträge:
    21
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Is it perhaps possible to block access to port 23 for local/all traffic with the firewallsettings?
     
  7. RalfFriedl

    RalfFriedl IPPF-Urgestein

    Registriert seit:
    22 Apr. 2007
    Beiträge:
    12,343
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    You can replace the password verification program, or, if you want to use (parts of) Freetz anyway, Freetz uses the password from /etc/shadow, which is independant of the web password.
     
  8. Fritsy

    Fritsy Neuer User

    Registriert seit:
    3 Nov. 2008
    Beiträge:
    21
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Thanks for your reply.
    Yes i am now using Freetz to unpack the firmware, edit the html files and pack the firmware again.
    If i load my current firmware (generated by Freetz) into the FB then the password of the webinterface is equal to the password of telnet.
    If i change the password (via System->FRITZ!Box Password) then that new password is also the telnet password.
    So can you explain what the 'shadow'' file does exactly? How does it make the webinterface password independent of the telnet password?

    Here is my shadow file:
     
  9. RalfFriedl

    RalfFriedl IPPF-Urgestein

    Registriert seit:
    22 Apr. 2007
    Beiträge:
    12,343
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    The AVM Firmware uses the option -l for telnetd to call /sbin/ar7login after connect:
    Code:
            -l LOGIN        Exec LOGIN on connect
    
    This program can be used to verify the login password. /sbin/ar7login uses the password from the web interface.

    Freetz replaces this with login (/bin/login), which must be present in the busybox. (Actually /sbin/ar7login is replaced with a script that calls login).
    The password can be changed with the passwd command (which should also be configured in the busybox).
    The passwd command replaces the '*' in /etc/shadow with an encrypted version of the password.

    You can also use your own script to verify a password.
     
  10. Fritsy

    Fritsy Neuer User

    Registriert seit:
    3 Nov. 2008
    Beiträge:
    21
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    These solutions seem very difficult. Is it possible to block Telnet access to the FritzBox with a simple firewall rule?
    Something like; reject tcp any host 192.168.178.1 eq 23?
     
  11. Fritsy

    Fritsy Neuer User

    Registriert seit:
    3 Nov. 2008
    Beiträge:
    21
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Does anyone know if there is a simple solution to block telnet access to the fritzbox but keep the webinterface accessible? :eek:
     
  12. RalfFriedl

    RalfFriedl IPPF-Urgestein

    Registriert seit:
    22 Apr. 2007
    Beiträge:
    12,343
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    As I already wrote: remove /sbin/ar7login or replace it with /bin/false or something like that.