Friday, April 9, 2010

Create and Manage Telnet users

Windows Embedded CE is provided with a Telnet server, that you can use on your target to access it from the network. This Telnet service can work in two different modes :

  1. without authentication : anybody connecting to the Telnet have access to the target
  2. with authentication enable : only trusted user with password have access to the target

Enable Telnet Server :
In your OSDesign, select the Telnet Server component located in :
Core OS -> CEBASE -> Communication Services and Networking -> Servers -> Telnet Server

Disable authentication :
Simply add the following lines to your project.reg to disable service authentication. All users then will have access to the service as no credential will be requested.
[HKEY_LOCAL_MACHINE\COMM\TELNETD]
"IsEnabled"=dword:1
"UseAuthentication"=dword:0

Enable authentication :
When enabling authentication, you have to add in addition to the Telnet server support, the NTLM component located in :
Core OS -> CEBASE -> Security -> Authentication Services (SSPI) -> NTLM
And you also have to add in registry the list of users that will have access to the service. Users can be classified by groups of users (check MSDN for details).
[HKEY_LOCAL_MACHINE\COMM\TELNETD]
"IsEnabled"=dword:1
"UseAuthentication"=dword:1
"UserList"="Bob"

In the sample above, we are adding user named Bob, and only this user will have access to the telnet service.

Set and Change user password :
By default there is no default password for the different users defined on the system, and the password is ciphered and stored in the registry. This password cannot be set at Runtime image build time, and is usually set on first system boot. The sample code below set the password for user Bob.
#include "ntlmssp.h"

#define DEFAULT_USER L"Bob"
#define DEFAULT_NEW_PASS L"password"
...
BOOL bRet = NTLMSetUserInfo(DEFAULT_USER, DEFAULT_NEW_PASS);

if (bRet == FALSE)
RETAILMSG(1, (L"Failed to set user info"));
else
RETAILMSG(1, (L"User info updated"));
...


- Nicolas

7 comments:

Anonymous said...

Thanks!!!!!! I had problems with NTLMSetUserInfo when configuring the access to my platform’s FTP acounts. I set the UserList in the project.reg file and called the NTLMSetUserInfo(_T(“user”),_T(“password”)) to create the user, but despite the Windows CE register was modified, It didn’t work. But when I read your post I realized that I had not “Authentication Services Installed” on the platfform . I opened the catalog, and added “CoreOS>Windows CE Devices>Security>Authentication services>NTLM…”

Anonymous said...

Where to insert this code? The platform.reg, platform.bib ?

Nicolas BESSON [MVP] said...

Registry information should be stored in REG files. It is suggested to make the modification in the OSDesign related registry file : project.reg for Windows CE version prior to 7, and OSDesign.reg for version 7 and above.
The bib files are describing the content of the runtime image.

Wouptidoo said...

The code to create the user and the password... Where do I put it? do i have to create another project and insert it as a subproject?

Nicolas BESSON [MVP] said...

You have to create a subproject and add this code in. Then on the first boot, you hvae to launch the app.
Note that if you don't have registry persistency, you have to launch the app at every device boot.
You can add a Launch entry inside the registry (http://msdn.microsoft.com/en-us/library/ms901773.aspx -> Still valid for WinCE6, WEC7, and WEC2013...)

Wouptidoo said...

Wow!! Thank you SOOOOOOOOO much Nicolas. This thing was about make me crazy. You're the best :)

Pranav Sinha said...

Hi Nicolas,
I have tried the same for Windows Embedded 7 compact. It worked prety well except for 1 problem which is fine as long as I am using Hive based registry. The problem is, after setting up the security profile using NTLMSetUserInfo() function, I am able to authenticate FTP only after reboot, not in the same session. I tried to disable FTP and Telnet by default and enabled it through registry only after NTLMSetUserInfo() was executed but it din't work in the same session. I have a requirement to use RAM based registry where I need the FTP to be authenticated in the same session when I set the user profile as I will be doing it at every boot up.
Please help and suggest a way out.
Regards,
Pranav