Ethan Trewhitt wrote:

> Lew Pitcher wrote:
>> Enable telnet in a chroot jail (or a virtual machine), and disable root
>> logins through the telnet session. Your TA gets his telnet, and your
>> system remains secure.
> 
> That's exactly what I'm doing at the moment. Telnet sessions start in a
> chroot dir with a barebones set of bin/ and lib/ files. Thus, telnet
> sessions are relatively benign to the server, but I'd still like to
> prevent users from gaining access in the first place. That access is
> worth points to other teams. Thanks though!

Suggestion (hypothetical): use layers.  I cannot suggest exact software or
configuration, but it's your assignment, not mine.  Do exactly what was
suggested above (and elsewhere about using non-standard ports, rotating
passphrase lists, etc.) which you said you were doing. Allow only one
login from the TA.

Immediately after successful login, disable that password for normal
login, but keep it open for a honeypot.

Any second or subsequent login attempts with that passphrase, put them
into a honeypot, and get whatever info on them you can.  If you can get
info to "back-crack" them from the honeypot, those are points for you.

Require a second layer, challenge response authentication.

Immediately after login and second layer authentication, require a
password change via (at least) Diffie-Hellman key negotiation to prevent
sniffing(, or rely on a pre-established long list of one-time
passphrases). Perhaps your TA doesn't have appropriate encryption software
installed, in which case there could be more difficult but still possible
solutions to achieve the same anti-sniffing purpose.  Require strong
passphrases. If your other classmates are sniffing the TA's login and it
remains valid, they will be on you like fleas on a dog.

This all presupposes there is no MITM attack possible, in which case all
bets are off.  If it is possible in your lab LAN environment for a student
to run a MITM attack (think carefully) then set a bot, do that and crack
everyone else's logins and get an A+.  You'll either land a great job or
get put on "Homeland Security's" watchlist and never be heard from again.
;/  HSA probably doesn't like people to use the same tactics they might
think they are permitted to use.  But it's just a class assignment on a
lab LAN, right? And you can also keep screaming that it was just your
contribution to "The War On Terror", as they fly you off to some secret
prison in (...Romania...?).

Obviously, if someone can sniff and read your clear text logins they can
log right into your systems, unless other layers are in place.  (*_Don't_
leave telnet open to the world.*)

HTH.