[nos-bbs] Telnet password management

Michael E Fox - N6MEF n6mef at mefox.org
Tue Dec 2 15:33:44 EST 2014 

Hi Jay,

Thanks.  Yes, that may be o.k. for a private LAN/WAN.  And some may find the
exposure acceptable for 44-net only traffic.  But I'd like to make Telnet
available from other nets, perhaps the Internet.  Unfortunately, our logs
show daily attempts to run port scans and other types of attacks.  So
setting univperm or even tcpperm to * is not something we want to expose
ourselves to.  

My high level idea would be a lightweight addition to jnos that would allow
an authentication server to be defined (much like we define an SMTP server
or DNS server).  Perhaps more than one can be defined, like DNS, and it will
use them in priority order.  If the server is not defined, JNOS handles
authentication locally, just like today.  If the server is defined, JNOS
attempts to contact the authentication server (or tries each of them, in
order, if multiple are defined, just like DNS).  If JNOS contacts the auth
server, then authentication is done by the auth server.  If the server is
not reachable, JNOS drops back to local authentication.  So you would define
the sysops in both places, but the regular users only on the auth server.
Users would be able to go to a website, perhaps to reset their password.

It's a pretty common model.  But I'm not enough of a JNOS or linux expert to
suggest precisely which components would be required and where. 

Michael
N6MEF

> -----Original Message-----
> From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
> Of Jay Nugent
> Sent: Tuesday, December 02, 2014 8:55 AM
> To: TAPR xNOS Mailing List
> Subject: Re: [nos-bbs] Telnet password management
> 
> Greetings Michael (et al),
>     we use a univperm setting in our ftpusers file.  This allows anyone to
> log on anywhere without having to create an account in advance.  Sure,
> it's not the most secure method, but it certainly made administering the
> network a whole lot easier!   And since nothing is truely private over
> Amateur Radio, there was nothing to keep for-your-eyes-only.
> 
>     In over 2 decades of doing this we have not had any issues with people
> logging into other peoples accounts and doing harm.  Maybe the user base
> is just not that interested or smart???   We *DID* set the sysop accounts
> to REQUIRE an actual password.  But that is a much smaller list that isn't
> ever changing.
> 
> 
> FTPUSERS
> --------
> #
> # --- SYSOPS ---
> wb8tkl password / 0x4407f
> wb8glq password / 0x4407f
> kb8vyq password / 0x4407f
> #
> # --- SPECIAL ---
> univperm  * /public 262203
> #
> #
> 
> 
>     Have fun!
>        --- Jay Nugent  WB8TKL
>            Ypsilanti, Michigan
>            Michigan AMPRnet
> 
> 
> 
> On Tue, 2 Dec 2014, Michael E Fox - N6MEF wrote:
> 
> > All,
> >
> >
> >
> > I'd like to expand the use of telnet into JNOS.  But that's just not
> going
> > to happen with the current password management paradigm of editing a
> text
> > file on each machine every time I need to add a user or change someone's
> > password.  Managing new users over multiple machines is reason enough to
> > make this a non-starter for me.  But changing passwords and responding
> to
> > forgotten password queries over multiple machines is liable to be an
> even
> > bigger problem.
> >
> >
> >
> > Has anyone thought about how JNOS might be coupled with other linux
> services
> > such as RADIUS so that:
> >
> > -- user logins could be created in one place for multiple machines
> >
> > -- users could update their own passwords and that update would apply to
> > multiple machines
> >
> > -- A "Forgotten password" reset function would be available to all,
> instead
> > of having to go to the sysop each time.
> >
> > -- The overall solution is not so complicated that it's harder to manage
> > than JNOS itself.
> >
> >
> >
> > If so, what does a practical solution look like?
> >
> >
> >
> > Michael
> >
> > N6MEF
> >
> >
> 
> --
> 
>          () ascii ribbon campaign in
>          /\ support of plain text e-mail
> 
>   o Averaging at least 3 days of MTBWTF!?!?!?
>   o The solution for long term Internet growth is IPv6.
>   o "To compel a man to furnish funds for the propagation of ideas he
>      disbelieves and abhors is sinful and tyrannical." -Thomas Jefferson
> +------------------------------------------------------------------------+
> | Jay Nugent   jjn at nuge.com    (734)484-5105    (734)649-0850/Cell       |
> |   Nugent Telecommunications  [www.nuge.com]                            |
> |   Internet Consulting/Linux SysAdmin/Engineering & Design              |
> | ISP Monitoring [www.ispmonitor.org] ISP & Modem Performance Monitoring |
> +------------------------------------------------------------------------+
>   19:01:01 up 2 days, 23:49,  2 users,  load average: 0.35, 0.54, 0.75

More information about the nos-bbs mailing list