Telnet 5250

This chapter contains an example of a basic Wheel Fudo PAM configuration, to monitor Telnet 5250 connections to a remote server. In this scenario, the user connects to the remote server using Telnet client and logs in using individual login and password. Wheel Fudo PAM authenticates the user against the information stored in the local database, establishes connection with the remote server and starts recording.

Note

Telnet connections do not support login credentials forwarding and login credentials substitution. When connecting to target host over telnet protocol, users are asked to provide their login credentials twice. First time to authenticate against Wheel Fudo PAM and then again, to connect to the target host.

../../_images/quickstart_overview_telnet.png

Prerequisites

Description below assumes that the system has been already initiated. For more information on the initiation procedure refer to the System initiation topic.

Configuration

../../_images/data_modeling1.png

Adding a server

Server is a definition of the IT infrastructure resource, which can be accessed over one of the specified protocols.

  1. Select Management > Servers.
  1. Click the Add button.
  2. Provide essential configuration parameters:
Parameter Value
General  
Name telnet_server
Blocked fail
Protocol Telnet 5250
Enable SSLv2 support fail
Enable SSLv3 support fail
Description fail
   
Permissions  
Granted users fail
   
Destination host  
Address 10.0.35.137
Port 23
  1. Click Save.

Adding a user

User defines a subject entitled to connect to servers within monitored IT infrastructure. Detailed object definition (i.e. unique login, full name, email address etc.) enables precise accountability of user actions when login and password are substituted with a shared account login credentials.

  1. Select Management > Users.
  2. Click Add.
  1. Provide essential user information:
Parameter Value
Login john_smith
Blocked fail
Account validity Indefinite
Role user
Preferred language English
Full name John Smith
Email john@smith.com
Organization fail
Phone fail
AD Domain fail
LDAP Base fail
Permissions  
Granted users fail
Connections  
Connections fail
Authentication  
Type Password
Password john
Repeat password john
  1. Click Save.

Adding a listener

Listener determines server connection mode (proxy, gateway, transparent, bastion) as well as its specifics.

  1. Select Management > Listeners.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name telnet_listener
Blocked fail
Protocol Telnet
Enable SSLv2 support fail
Enable SSLv3 support fail
   
Permissions  
Granted users fail
   
Connection  
Mode proxy
Local address 10.0.150.151
Port 23
  1. Click Save.

Adding an account

Account defines the privileged account existing on the monitored server. It specifies the actual login credentials, user authentication mode: anonymous (without user authentication), regular (with login credentials substitution) or forward (with login and password forwarding); password changing policy as well as the password changer itself.

  1. Select Management > Accounts.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name admin_telnet_server
Blocked fail
Type forward
Session recording all
OCR sessions fail
Delete session data after 61 days
   
Permissions  
Granted users fail
   
Server  
Server telnet_server
   
Credentials  
Replace secret with with password
Password fail
Repeat password fail
  1. Click Save.

Defining a safe

Safe directly regulates user access to monitored servers. It specifies available protocols’ features, policies and other details concerning users and servers relations.

  1. Select Management > Safes.
  2. Click Add.
  1. Provide essential configuration parameters:
Parameter Value
General  
Name telnet_safe
Blocked fail
Login reason fail
Notifications fail
Policies fail
   
Protocol functionality  
RDP fail
SSH fail
VNC fail
   
Permissions  
Granted users fail
   
Objects relations  
Users john_smith
Accounts admin_telnet_server
Listeners telnet_listener
  1. Click Save.

Establishing a telnet connection with the remote host

  1. Launch telnet client of your choice.

  2. Connect to the remote host:

    telnet> open 10.0.150.151
    Trying 10.0.150.151...
    Connected to 10.0.150.151.
    Escape character is '^]'.
    
  3. Provide user authentication information defined on Wheel Fudo PAM:

../../_images/fudo_authentication.png
  1. Provide user authentication information defined on the target host:

    FreeBSD/amd64 (fbsd83-cerb.whl) (pts/0)
    login:
    password:
    

Note

Telnet connections do not support user credentials substitution.

../../_images/telnet_connected.png

Viewing user’s session

  1. Open a web browser and go to the 10.0.150.151 web address.
  2. Enter the login and the password to log in to the Wheel Fudo PAM administration panel.
  1. Select Management > Sessions.
  2. Click Active.
  3. Find John Smith’s session and click i.
../../_images/telnet_player.png

Related topics: