Why don't all BBS Sysops offer SSH? I thought telnet was supposed to be very insecure?

HusTler

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Re: SSH
By: Hustler to All on Sat Mar 05 2016 07:37 am

Why don't all BBS Sysops offer SSH? I thought telnet was supposed to be
very insecure?

so what if it's insecure. nobody is doing anything illegal on my bbses.

it's convenience. i have rlogin, ssh, etc but nobody uses it. they all prefer telnet.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Hustler to All on Sat Mar 05 2016 07:37 am

Why don't all BBS Sysops offer SSH? I thought telnet was supposed to be very insecure?

HusTler

I've tried to enable it because I take security very seriously. And, contrary to the opinions of others, it doesn't matter if you are doing anything illegal or not. Good security should be a standard practice, You wouldn't mail a letter without an envelope, would you? You wouldn't leave your social security card lying on the coffee table where anyone could see it, would you? You wouldn't post your credit card number online where just anyone could see it, would you? I'm sure that you understand my point and don't need a lecture on security; that's why you're asking the question.

In any case, to get back to your question, I've not had success in enabling it. I do have HTTPS enabled for the webserver, but SSH doesn't seem to be working properly (though RLOGIN does seem to be working). I'm running Linux which has an SSH server enabled by default, so I thought perhaps it was a conflict between my system's SSH daemon and synchronet's implementation, so I changed the assigned port from 22 to 222, and I still got a "connection refused" message when attempting to connect. Same thing when I moved my system's SSH port to 222 and let Synchronet have port 22. So, unless I'm the only one having this problem, it may be an issue that needs to be resolved with Synchronet. But I've had a long list of to-dos in configuring my BBS, so I haven't yet sought out any help in solving this particular issue. I suppose for the time being, at least with my site, the most secure way would be to connect to the website and use the flash telnet client because that connection would be secured with HTTPS (in fact I have the site configured to require HTTPS).

---
þ Synchronet þ The 5th Dimension: A blast from the past - A vision of the future -- the5thd.syn

Re: SSH
By: Doctor Who to Hustler on Sat Mar 05 2016 21:56:11

Why don't all BBS Sysops offer SSH? I thought telnet was supposed to
be very insecure?

In any case, to get back to your question, I've not had success in enabling it. I do have HTTPS enabled for the webserver, but SSH doesn't seem to be working properly (though RLOGIN does seem to be working). I'm

I asked because security seems to be a major issue these days. I don't have a problem with telent because I don't do anything on a BBS that's even close to illegal. It just seems to me a BBS offering SSH connections would be more of a draw for users. Especially paranoid users. Of all the board I'm on I can only connect to 3 using SSH. I was just curious as to why so many others don't have it set up. I agree could security should be practiced by everyone.

HusTler

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: SSH
By: Doctor Who to Hustler on Sat Mar 05 2016 09:56 pm

Re: SSH
By: Hustler to All on Sat Mar 05 2016 07:37 am

Why don't all BBS Sysops offer SSH? I thought telnet was supposed to be v insecure?

HusTler

I've tried to enable it because I take security very seriously. And, contrar to the opinions of others, it doesn't matter if you are doing anything illeg or not. Good security should be a standard practice, You wouldn't mail a let without an envelope, would you? You wouldn't leave your social security card lying on the coffee table where anyone could see it, would you? You wouldn't post your credit card number online where just anyone could see it, would yo I'm sure that you understand my point and don't need a lecture on security; that's why you're asking the question.

In any case, to get back to your question, I've not had success in enabling I do have HTTPS enabled for the webserver, but SSH doesn't seem to be workin properly (though RLOGIN does seem to be working). I'm running Linux which ha an SSH server enabled by default, so I thought perhaps it was a conflict between my system's SSH daemon and synchronet's implementation, so I changed the assigned port from 22 to 222, and I still got a "connection refused" message when attempting to connect. Same thing when I moved my system's SSH port to 222 and let Synchronet have port 22. So, unless I'm the only one hav this problem, it may be an issue that needs to be resolved with Synchronet. I've had a long list of to-dos in configuring my BBS, so I haven't yet sough out any help in solving this particular issue. I suppose for the time being, least with my site, the most secure way would be to connect to the website a use the flash telnet client because that connection would be secured with HT (in fact I have the site configured to require HTTPS).

I just started using Synchronet on my system. I have the same problem and I am running on linux. When I look at my files I am seeing "Error creating TLS certificate: cryptlib error -22 at ssl.c:102" and it does not listen on the socket on port 2222 that I have set in my config.

I have alot of other things to work on right now so it is not as big of a problem but would like to get it working soon.

Michael Deig
Sysop
Bufkin Ridge Ranch

---
þ Synchronet þ BR-Ranch BBS - telnet://bbs.br-ranchbbs.com http://www.br-ranch.com

Re: SSH
By: Doctor Who to Hustler on Sat Mar 05 2016 09:56 pm

wouldn't mail a letter without an envelope, would you? You wouldn't leave your social security card lying on the coffee table where anyone could see it, would you? You wouldn't post your credit card number online where just anyone could see it, would you? I'm sure that you understand my point and don't need a lecture on security; that's why you're asking the question.

In any case, to get back to your question, I've not had success in enabling

you are comparing apples and oranges.
also if someone's account is compromised on a bbs, nothing is lost.

conflict between my system's SSH daemon and synchronet's implementation, so I changed the assigned port from 22 to 222, and I still got a "connection refused" message when attempting to connect. Same thing when I moved my system's SSH port to 222 and let Synchronet have port 22. So, unless I'm
the only one having this problem, it may be an issue that needs to be resolved with Synchronet. But I've had a long list of to-dos in configuring

my ssh server for the bbs runs on 2200.
you should check your firewall rules.

issue. I suppose for the time being, at least with my site, the most secure way would be to connect to the website and use the flash telnet client because that connection would be secured with HTTPS (in fact I have the
site configured to require HTTPS).

you guys spend so much time thinking about security. worry about getting some fucking users first.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Doctor Who to Hustler on Sat Mar 05 2016 09:56 pm

by the way, your tagline is too long and you are truncating your url

and your bbs is hanging up on users because of an event that's not running.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

HusTler wrote to Doctor Who <=-

In any case, to get back to your question, I've not had success in enabling it. I do have HTTPS enabled for the webserver, but SSH doesn't seem to be working properly (though RLOGIN does seem to be working). I'm

I asked because security seems to be a major issue these days. I don't have a problem with telent because I don't do anything on a BBS that's even close to illegal. It just seems to me a BBS offering SSH
connections would be more of a draw for users. Especially paranoid
users. Of all the board I'm on I can only connect to 3 using SSH. I was just curious as to why so many others don't have it set up. I agree
could security should be practiced by everyone.

I just checked my system. As I expected, SSH is working, albeit on a non standard port (I had to move it because I have sshd listening on 22). I didn't do anything special from memory, other than changing the SSH port for Synchronet, so I don't understand who other Synchronet systems don't seem to be running SSH. It's dead simple to enable.

I normally use rlogin, because I'm logging in across the wired LAN (and if someone's listening there, I have bigger problems! :) ), and figured I might as well save the Pi the overheads of encryption for that link. Logging in from remote sites, SSH would be preferable. I may be trying that one out on the weekend while I'm away. :)
... Click...click...click...Damn, out of taglines again!
--- MultiMail/Win32 v0.49
þ Synchronet þ Freeway BBS in Bendigo, Australia.

Re: SSH
By: HusTler to Doctor Who on Sun Mar 06 2016 01:39 am

I asked because security seems to be a major issue these days. I don't have a problem with telent because I don't do anything on a BBS that's even close to illegal. It just seems to me a BBS offering SSH connections would be more of a draw for users. Especially paranoid users. Of all the board I'm on I can only connect to 3 using SSH. I was just curious as to why so many others don't have it set up. I agree could security should be practiced by everyone.

HusTler

Which BBSs? Maybe I should get in touch with the sysops and see if they know something I don't.

I've been looking into the matter, and it is possible to enable authentication and encryption on telnet. But because ssh exists, there seems to be almost no interest in anyone actually implementing any of
the authentication or encryption standards on either the client or server side. You can check the Wikipedia article on telnet and see what I mean. There's a long list of proposed standards for telnet, but
none of them were ever officially adopted, and almost no one has even attempted to implement any of them.

In any case, some people will not take security seriously until after something bad has personally affected them. But the proverb is true: an ounce of prevention is worth a pound of cure.

---
þ Synchronet þ The 5th Dimension: the5thd.synchro.net

Re: SSH
By: Trailboss to Doctor Who on Sun Mar 06 2016 10:43 am

I just started using Synchronet on my system. I have the same problem and I am running on linux. When I look at my files I am seeing "Error creating TLS certificate: cryptlib error -22 at ssl.c:102" and it does not listen on the socket on port 2222 that I have set in my config.

I have alot of other things to work on right now so it is not as big of a problem but would like to get it working soon.

Michael Deig
Sysop
Bufkin Ridge Ranch

I had the same problem. Deuce advised me to delete ../ctrl/ssl.cert so that it could be recreated by Synchronet. I tried doing so, and it did fix my problem with Synchronet not supporting https on the
website, but it did nothing for enabling ssh.

---
þ Synchronet þ The 5th Dimension: the5thd.synchro.net

Re: SSH
By: Mro to Doctor Who on Sun Mar 06 2016 04:29 pm

you are comparing apples and oranges.
also if someone's account is compromised on a bbs, nothing is lost.

In my examples, physical media are used, and online the medium is digital, but the basic principle is the same. People generally don't want private things to become public knowledge. Granted, most things online are public and should be considered public unless it's dealing with something like credit card transactions -- something which is quite common.

you guys spend so much time thinking about security. worry about getting some fucking users first.

I run my BBS as a hobby, and I do it because I enjoy it. Of course I'd like to increase my user base; that's part of the fun -- sharing the experience with others. It's about communication and relationships. But if I want people to use my BBS, I have to offer them something they consider valuable. I personally consider security to be important, and I want my users to know I take it seriously. That is one of the things I want to offer that many users would consider valuable. Users will come in time if they consider the service valuable, but I believe I should be proactive instead of trying to fix things after the fact.

---
þ Synchronet þ The 5th Dimension: the5thd.synchro.net

Re: SSH
By: Mro to Doctor Who on Sun Mar 06 2016 04:34 pm

by the way, your tagline is too long and you are truncating your url
and your bbs is hanging up on users because of an event that's not running.

Thanks for the heads up. I'll shorten it.

---
þ Synchronet þ The 5th Dimension: the5thd.synchro.net

Re: SSH
By: Mro to Hustler on Sat Mar 05 2016 11:59:30

Why don't all BBS Sysops offer SSH? I thought telnet was supposed to
be very insecure?

so what if it's insecure. nobody is doing anything illegal on my bbses.

SSH isn't primarly for hiding illegal activity.. It's more about keeping your password & online activity safe from people who might want to listen in. Although probably nobody would really care about watching someone's BBS activity, encrypting the connection via SSH doesn't hurt either..

it's convenience. i have rlogin, ssh, etc but nobody uses it. they all prefer telnet.

I'm not really sure how telnet is really any more convenient than SSH. You don't really need to configure the connection very differently than telnet besides changing the setting to use SSH. That's not so hard to do..

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: SSH
By: Mro to Doctor Who on Sun Mar 06 2016 16:29:48

also if someone's account is compromised on a bbs, nothing is lost.

except perhaps for their password, which a user might care about..

you guys spend so much time thinking about security. worry about getting some fucking users first.

Even if a BBS user account doesn't really contain much valuable information, it doesn't hurt to allow users to use SSH & such if they want to.. I don't really see the harm in that..

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: SSH
By: Hustler to All on Sat Mar 05 2016 07:37:54

Why don't all BBS Sysops offer SSH? I thought telnet was supposed to be very insecure?

I offer SSH on my BBS in case there are users who want to use it. You're right, telnet is insecure since everything is transmitted in plain text. I'm not sure why a sysop would not offer it if their BBS software supports it. With Synchronet it's about as easy as flipping a switch (actually it's easier, since SSH is enabled by default). You just have to ensure the port is forwarded in your router, same with telnet.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Mro wrote to Doctor Who <=-

you guys spend so much time thinking about security. worry about
getting some fucking users first.

LOL I'm the only user my BBS is intended for, though if others find it useful, then they're welcome to log in and use it. :)
... Heisenberg may have slept here.
--- MultiMail/Win32 v0.49
þ Synchronet þ Freeway BBS in Bendigo, Australia.

Nightfox wrote to Mro <=-

SSH isn't primarly for hiding illegal activity.. It's more about
keeping your password & online activity safe from people who might want
to listen in. Although probably nobody would really care about watching someone's BBS activity, encrypting the connection via SSH doesn't hurt either..

Agree, it is good practice. Synchronet has SSH capability, so why not use it. I'm not aure why others are having problems enabling SSH, mine worked out of the box (other than the port change I mentioned).

it's convenience. i have rlogin, ssh, etc but nobody uses it. they all prefer telnet.

I'm not really sure how telnet is really any more convenient than SSH.
You don't really need to configure the connection very differently than telnet besides changing the setting to use SSH. That's not so hard to do..

I think it's a simple matter of habit. Syncterm supports all 3 protocols, so if you're using Syncterm, then it's a simple settings change. I'll use SSH over the Internet. As I said, only reason I use rlogin is the connection is over the wired LAN and I might as well save the Pi a few cycles. I can't accidentally use rlogin over the Internet, this is a desktop PC. On the laptop, I'll be using SSH. :)
... Oh, I almost forgot . . . It's absolutley VITAL to insta
--- MultiMail/Win32 v0.49
þ Synchronet þ Freeway BBS in Bendigo, Australia.

Nightfox wrote to Hustler <=-

I offer SSH on my BBS in case there are users who want to use it.
You're right, telnet is insecure since everything is transmitted in
plain text. I'm not sure why a sysop would not offer it if their BBS software supports it. With Synchronet it's about as easy as flipping a switch (actually it's easier, since SSH is enabled by default). You
just have to ensure the port is forwarded in your router, same with telnet.

I didn't have to forward anything, my BBS has a public IP, as well as a private one. Only change I had to make was move SSH to a non standard port, because I'm running on a Pi and use sshd for administration. I may think about swapping sshd and Synchronet, in case I get users wanting SSH.
... Rock is Dead. Long live Paper and Scissors!
--- MultiMail/Win32 v0.49
þ Synchronet þ Freeway BBS in Bendigo, Australia.

Re: SSH
By: Trailboss to Doctor Who on Sun Mar 06 2016 10:43 am

I just started using Synchronet on my system. I have the same problem and I am running on linux. When I look at my files I am seeing "Error creating TLS certificate: cryptlib error -22 at ssl.c:102" and it does not listen on the socket on port 2222 that I have set in my config.

I have alot of other things to work on right now so it is not as big of a problem but would like to get it working soon.

i believe that nolageek had some issue with it but he didnt want to trouble shoot it with me or anybody else.

what version of synchronet are you running? what version number.

i am running synchronet 3.15x on windows and 3.16 on linux and ssh is working for me.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Doctor Who to HusTler on Sun Mar 06 2016 05:50 pm

In any case, some people will not take security seriously until after something bad has personally affected them. But the proverb is true: an ounce of prevention is worth a pound of cure.

you have to factor in the risks. you shouldnt even be using synchronet if you are so demanding of security because the passswords are stored in plain text. ---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Doctor Who to Trailboss on Sun Mar 06 2016 05:53 pm

I had the same problem. Deuce advised me to delete ../ctrl/ssl.cert so that it could be recreated by Synchronet. I tried doing so, and it did fix my problem with Synchronet not supporting https on the website, but it did nothing for enabling ssh.

i dont even have ssl.cert in sbbs/ctrl so it's probably not related to ssh
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Doctor Who to Mro on Sun Mar 06 2016 06:27 pm

you are comparing apples and oranges.
also if someone's account is compromised on a bbs, nothing is lost.

In my examples, physical media are used, and online the medium is digital, but the basic principle is the same. People generally don't want private things to become public knowledge. Granted, most things online are public and should be considered public unless it's dealing with something like credit card transactions -- something which is quite common.

what private things are you talking about? bbses are not private.
this very conversation is being put on the internet 100 times over thanks
to the synchronet web interface. some of these subs are being gated to fidonet and usenet.

I run my BBS as a hobby, and I do it because I enjoy it. Of course I'd like

boy i never heard that before. oh wait, you sound like one of those guys i've seen come and go for the past 20+ years.

and how is it your hobby when you didnt even do any modifications to your bbs? isnt a hobby something you work on?

valuable. I personally consider security to be important, and I want my users to know I take it seriously. That is one of the things I want to

what are you doing with your bbs?
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Nightfox to Mro on Sun Mar 06 2016 04:44 pm

so what if it's insecure. nobody is doing anything illegal on my
bbses.

SSH isn't primarly for hiding illegal activity.. It's more about keeping your password & online activity safe from people who might want to listen in. Although probably nobody would really care about watching someone's BBS activity, encrypting the connection via SSH doesn't hurt either..

i dont think anybody gives a fuck what joe blow is doing in l.o.r.d on my bbs.

it's convenience. i have rlogin, ssh, etc but nobody uses it. they all prefer telnet.

I'm not really sure how telnet is really any more convenient than SSH. You don't really need to configure the connection very differently than telnet besides changing the setting to use SSH. That's not so hard to do..

i dont know, why dont you research it. the numbers dont like. everyone gets more telnet callers than rlogin and ssh.

visit and active bbs and ask the sysop for the stats.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Nightfox to Mro on Sun Mar 06 2016 04:48 pm

Re: SSH
By: Mro to Doctor Who on Sun Mar 06 2016 16:29:48

also if someone's account is compromised on a bbs, nothing is lost.

except perhaps for their password, which a user might care about..

so whats the big issue with that? someone will login as another user and play l.o.r.d for him?

i think you guys are taking the hypotheticals to a new level here. we're talking about bbses. most people dont give one shit about bbses.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: Re: SSH
By: Vk3jed to Mro on Mon Mar 07 2016 02:25 pm

Mro wrote to Doctor Who <=-

you guys spend so much time thinking about security. worry about getting some fucking users first.

LOL I'm the only user my BBS is intended for, though if others find it useful, then they're welcome to log in and use it. :)

well, you are doing it wrong. bbses are supposed to be ran for the users.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: Re: SSH
By: Vk3jed to Nightfox on Mon Mar 07 2016 02:30 pm

I think it's a simple matter of habit. Syncterm supports all 3 protocols, so if you're using Syncterm, then it's a simple settings change. I'll use SSH over the Internet. As I said, only reason I use rlogin is the connection is over the wired LAN and I might as well save the Pi a few

here's another angle. some people dont want to be forced to use another client when they have a client they enjoy.

i prefer mtelnet for windows. so do a few other people i know. i'm not sure if netrunner supports ssh now, i'm not a fan of it.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Mro wrote to Vk3jed <=-

i prefer mtelnet for windows. so do a few other people i know. i'm not sure if netrunner supports ssh now, i'm not a fan of it.

Netrunner only supports telnet. I use Syncterm.
... I know exactly what a sextet is... But I'd rather not say...
--- MultiMail/Win32 v0.49
þ Synchronet þ Freeway BBS in Bendigo, Australia.

On 03/06/16, Nightfox said the following...

Re: SSH
By: Mro to Doctor Who on Sun Mar 06 2016 16:29:48

also if someone's account is compromised on a bbs, nothing is lost.

except perhaps for their password, which a user might care about..

Agreed. The caller's username/password might get captured in clear text.
Then hackers can try that username/password combo on all the various popular websites, including banks. Many people use the same username/password for
all the accounts they have.

--- Mystic BBS v1.12 A4 (Raspberry Pi)
* Origin: Cyberia BBS | Cyberia.Darktech.Org | Kingwood, TX

I think it's a simple matter of habit. Syncterm supports all 3 protocols, so if you're using Syncterm, then it's a simple settings change. I'll use SSH over the Internet. As I said, only reason I use rlogin is the connection is over the wired LAN and I might as well save the Pi a few

here's another angle. some people dont want to be forced to use another client when they have a client they enjoy.

i prefer mtelnet for windows. so do a few other people i know. i'm not sure if netrunner supports ssh now, i'm not a fan of it.

I don't think anyone is arguing to force people to use SSH. Just enabling SSH so users can use it if they want to.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

it's convenience. i have rlogin, ssh, etc but nobody uses it. they all prefer telnet.

I'm not really sure how telnet is really any more convenient than SSH. You don't really need to configure the connection very differently than telnet besides changing the setting to use SSH. That's not so hard to do..

i dont know, why dont you research it. the numbers dont like. everyone gets more telnet callers than rlogin and ssh.

visit and active bbs and ask the sysop for the stats.

I wasn't really arguing the numbers, just that I don't think it's much of an inconvenience to switch a connection setting to SSH.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

also if someone's account is compromised on a bbs, nothing is lost.

except perhaps for their password, which a user might care about..

so whats the big issue with that? someone will login as another user and play l.o.r.d for him?

Why would a user want someone else to do that?

i think you guys are taking the hypotheticals to a new level here. we're talking about bbses. most people dont give one shit about bbses.

I'm not sure it's worth getting so worked up over this.. It's not hard for a sysop to enable SSH on the BBS in case users want to use it, and if some users want to use it, it's not hard to change their connection setting to SSH (if they're using an SSH-capable client).

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: SSH
By: Nightfox to Hustler on Sun Mar 06 2016 04:50 pm

Why don't all BBS Sysops offer SSH? I thought telnet was supposed to
be very insecure?

easier, since SSH is enabled by default). You just have to ensure the port is forwarded in your router, same with telnet.

It seems the default port is 22 with the term software I use. Maybe the Sysops don't have that port open on there systems? If a user has to make private arrangements with the SysOp to log on with a non-standard port or password I don't see the point of running a BBS. Having new users logging on from all over the world was the best part of running a BBS back in the day. I notice some boards require a password for rlogin. How do new users get these passwords and ports from SysOps that use them to secure their boards?

HusTler

---
þ Synchronet þ Electronic Warfare BBS | telnet://bbs.ewbbs.net

Re: SSH
By: Mro to Nightfox on Sun Mar 06 2016 23:02:32

so what if it's insecure. nobody is doing anything illegal on my
bbses.

i dont think anybody gives a fuck what joe blow is doing in l.o.r.d on my bbs.

So that means security is not an issue on BBS's? Why not just open all the ports? It's been a long time since I ran a BBS but if I started one today (and I'm not) I would want to insure my users their online security. Could this be the reason most BBS's are SysOp to Sysop? Running a BBS is a hobby would give me even more of a reason to make my BBS secure. Back in that day I learned a lot of shit running a BBS that I never would have learned without it. So you new SysOps keep working on securing your BBS. I can only speak for myself but yes I do give a shit if somone is watching me play L.O.R.D.!
That's just my opinion....I could be wrong ;-)

HusTler

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

LOL I'm the only user my BBS is intended for, though if others find it useful, then they're welcome to log in and use it. :)

well, you are doing it wrong. bbses are supposed to be ran for the users.

Are you saying you think every BBS must be publicly available for anyone to use? What's the problem if someone wants to set up a BBS only for themselves to use?

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

It seems the default port is 22 with the term software I use. Maybe the Sysops don't have that port open on there systems? If a user has to make private arrangements with the SysOp to log on with a non-standard port or password I don't see the point of running a BBS. Having new users logging on from all over the world was the best part of running a BBS back in the day. I notice some boards require a password for rlogin. How do new users get these passwords and ports from SysOps that use them to secure their boards?

Eh? A sysop should at least have the telnet port open so that user can also use
telnet.. I'm not sure where anyone said anything about restricting the BBS to only SSH?

If a sysop wants to make SSH available, then the sysop would need to forward port 22 from the router to the BBS machine. Then a user would simply set the connection to SSH and connect.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: SSH
By: Trailboss to Doctor Who on Sun Mar 06 2016 10:43 am

I just started using Synchronet on my system. I have the same problem and I am running on linux. When I look at my files I am seeing "Error creating TLS certificate: cryptlib error -22 at ssl.c:102" and it does not listen on the socket on port 2222 that I have set in my config.

Stopping Synchronet, deleting ctrl/ssl.cert and ctrl/cryptlib.key then restarting Synchronet should fix this issue.

A new self-signed certificate and private key will be generated, so users may get a warning from their client software if they connected before.

---
http://DuckDuckGo.com/ a better search engine that respects your privacy.
Mro is an idiot. Please ignore him, we keep hoping he'll go away.
þ Synchronet þ My Brand-New BBS (All the cool SysOps run STOCK!)

Re: Re: SSH
By: Gryphon to Nightfox on Mon Mar 07 2016 09:47 am

also if someone's account is compromised on a bbs, nothing is lost.

except perhaps for their password, which a user might care about..

Agreed. The caller's username/password might get captured in clear text. Then hackers can try that username/password combo on all the various
popular websites, including banks. Many people use the same username/password for all the accounts they have.

if they are using the same password on someone's bbs as they are on their bank's website, let them lose all their shit. they're retarded.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Nightfox to Mro on Mon Mar 07 2016 08:51 am

i prefer mtelnet for windows. so do a few other people i know. i'm not sure if netrunner supports ssh now, i'm not a fan of it.

I don't think anyone is arguing to force people to use SSH. Just enabling SSH so users can use it if they want to.

well that's easy then. the sysops that want to use ssh are using it. the ones that dont are not.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Nightfox to Mro on Mon Mar 07 2016 09:05 am

I'm not sure it's worth getting so worked up over this.. It's not hard for a sysop to enable SSH on the BBS in case users want to use it,

it depends on what bbs software you are using. not everyone uses
synchronet.

and if some
users want to use it, it's not hard to change their connection setting to SSH (if they're using an SSH-capable client).

if you're a sysop that's another opening you are making to get attacked on the internet. now you have a ssh port getting bruteforced.
just so 2 people maybe just maybe might use it a few times.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

and if some
users want to use it, it's not hard to change their connection setting to SSH (if they're using an SSH-capable client).

if you're a sysop that's another opening you are making to get attacked on the internet. now you have a ssh port getting bruteforced.
just so 2 people maybe just maybe might use it a few times.

Maybe, but my BBS is all I really have on my BBS machine. To go along with your argument,
there probably isn't anything really interesting an attacker would want from a BBS machine
anyway.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: SSH
By: Mro to Nightfox on Mon Mar 07 2016 20:58:31

and if some
users want to use it, it's not hard to change their connection setting
to SSH (if they're using an SSH-capable client).

if you're a sysop that's another opening you are making to get attacked on the internet. now you have a ssh port getting bruteforced.
just so 2 people maybe just maybe might use it a few times.

Maybe, but my BBS is all I have on my BBS machine. So to go along with your argument, there probably isn't anything that an attacker would really be interested in from a BBS machine anyway.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: SSH
By: Nightfox to Mro on Sun Mar 06 2016 04:48 pm

Even if a BBS user account doesn't really contain much valuable information, it doesn't hurt to allow users to use SSH & such if they want to.. I don't really see the harm in that..

Once I get Iniquity working on SSH I will absolutely disable telnet as an access method. If you're OK with cleartext across the 'net, then, well, you're just at a very different place than I am I guess hehe. That being said, I'm just happy I was able to ghetto-rig Iniquity online at all.

...darkwing!

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Re: SSH
By: Mro to Doctor Who on Sun Mar 06 2016 10:54 pm

you have to factor in the risks. you shouldnt even be using synchronet if you are so demanding of security because the passswords are stored in plain text.

Local access to the system is way different than deciding every network your traffic passes through with full pcap is welcome to capture your data in cleartext.

...darkwing!

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Re: SSH
By: Mro to Nightfox on Sun Mar 06 2016 11:02 pm

i dont think anybody gives a fuck what joe blow is doing in l.o.r.d on my bbs.

And this is the attitude that is best to have. Let's face it, if the fedz want to own your PC, your'e getting owned, unless you permanently disconnect from the 'net. It doesn't really bother me, because at the end of the day, I'm just not that interesting. I'm not a target for the fedz unreleased 0day because they wouldn't bother wasting it on me.

...darkwing!

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

Re: Re: SSH
By: Mro to Vk3jed on Sun Mar 06 2016 11:06 pm

here's another angle. some people dont want to be forced to use another client when they have a client they enjoy.
i prefer mtelnet for windows. so do a few other people i know. i'm not sure if netrunner supports ssh now, i'm not a fan of it.

Now this is a much better point... I love mtel too, but switched to syncterm as I primarily use OSX now. It's a pretty sweet terminal. I think I liked the ANSI feel of mtel a bit more, but it only runs in windows (a vm for me) which is a bummer. At least with the availability and quality of syncterm I'd be OK with disabling telnet and requiring SSH on my board.

I find this whole conversation about why encrypt communications very interesting =)

...darkwing!

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

On 03/08/16, Nightfox said the following...

and if some
users want to use it, it's not hard to change their connection setti SSH (if they're using an SSH-capable client).

if you're a sysop that's another opening you are making to get attacked the internet. now you have a ssh port getting bruteforced.
just so 2 people maybe just maybe might use it a few times.

Maybe, but my BBS is all I really have on my BBS machine. To go along
with your argument,
there probably isn't anything really interesting an attacker would want from a BBS machine
anyway.

Other than to get on to it and install rootkits and use it as a platform to
run DoS attacks.

--- Mystic BBS v1.12 A4 (Raspberry Pi)
* Origin: Cyberia BBS | Cyberia.Darktech.Org | Kingwood, TX

Seems like it's overkill to me. I'm on ssh to my house then telnet to here (cyberia). It's for anyone to read so why would I do ssh? The other thing is, so you require ssh (really will cut down the callers) you have multi-bbs
chat and games how are you going to encrypt that? Where will it stop, when
you have no one calling anymore?
SSH is fine and works well, forwards X and all (as did telnet) but it's overkill for a BBS in general. It cuts communications on something your
trying to increase communications with. Just my quick two paragraphs worth ;)

--- Mystic BBS v1.12 A4 (Raspberry Pi)
* Origin: Cyberia BBS | Cyberia.Darktech.Org | Kingwood, TX

Seems like it's overkill to me. I'm on ssh to my house then telnet to

here

(cyberia). It's for anyone to read so why would I do ssh?

SSH is mainly to protect things like the user's password, which is sent in clear text when using telnet.

The other thing
is, so you require ssh (really will cut down the callers)

I don't think anyone said anything about requiring SSH. Only enabling SSH
so that users who want to use it can use it.

you have multi-bbs
chat and games how are you going to encrypt that? Where will it stop,

when

you have no one calling anymore?

SSH encrypts all activity during the user's session. So you wouldn't have
to do anything extra to encrypt more for the user..

SSH is fine and works well, forwards X and all (as did telnet) but it's overkill for a BBS in general. It cuts communications on something your trying to increase communications with. Just my quick two paragraphs

worth

;)

How exactly would SSH cut communications? Most sysops would probably still enable telnet in addition to SSH, so I don't really see the issue you're describing, and I don't necessarily think it's overkill for a user to want
to protect their login credentials when logging in somewhere.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: SSH
By: Nightfox to Mro on Mon Mar 07 2016 09:19 pm

Maybe, but my BBS is all I have on my BBS machine. So to go along with your argument, there probably isn't anything that an attacker would really be interested in from a BBS machine anyway.

On my BBS I use router rules to open only ports I need on each computer on my network.
If an attacker gets in like you say there is not much he can get off my BBS machine.
Since my BBS machine runs Windows 7 32 bit I just use remote access.

---
þ Synchronet þ The Outwest BBS - outwestbbs.com - Door Games - files -Dove-net

Re: SSH
By: Hustler to Nightfox on Mon Mar 07 2016 08:12 am

It seems the default port is 22 with the term software I use. Maybe the Sysops don't have that port open on there systems? If a user has to make private arrangements with the SysOp to log on with a non-standard port or password I don't see the point of running a BBS. Having new users logging on from all over the world was the best part of running a BBS back in the day. I notice some boards require a password for rlogin. How do new users

Hi Hustler

I had to jump in on this, as I run two systems. The main BBS is on port 23 for telnet, but since you can only have one port in use, my other system uses port 2323, but it's well documented from the main system. Some users will log into different ports if they like the system, and the sysop offers a decent place to visit. Just saying, sometimes we can't limit ourselves to just one standard port.

C.G. Learn
Valhalla Home Services! - Telnet://valhalla.synchro.net
A Gamers Paradise - Over 100 Registered Online Game Doors!

--- Old farts never die! They just smell that way...
þ Synchronet þ Valhalla Home Services þ USA þ http://valhalla.synchro.net

Re: SSH
By: Darkwing to Nightfox on Mon Mar 07 2016 11:14 pm

Once I get Iniquity working on SSH I will absolutely disable telnet as an access method. If you're OK with cleartext across the 'net, then, well, you're just at a very different place than I am I guess hehe. That being said, I'm just happy I was able to ghetto-rig Iniquity online at all.

...darkwing!

I've thought about this, and personally I'd like to have the option to have the software display a different message to the user
depending on what protocol they use to connect. That way, a warning message could be displayed warning that a telnet or rlogin
client (without a secure connection) should use a more secure method to connect. And, at the sysop's option, allow them to continue
with telnet if they wish or automatically disconnect them for their own safety. In other words, have a telnet server up so that
people who try to connect can verify that the BBS is up and running even if that isn't allowed as a logon method.

Of course, telnet and rlogin *can* be secure. I did find a few clients which support ssl or kerberos for telnet and kerberos for
rlogin. There are unimplemented proposed standars for other methods, but ssl/tls and kerberos are available now. I just don't know
of any BBS packages that offer that on the server side.

---
þ Synchronet þ The 5th Dimension: the5thd.synchro.net

Re: Re: SSH
By: Gryphon to Nightfox on Tue Mar 08 2016 07:56 am

Maybe, but my BBS is all I really have on my BBS machine. To go along with your argument,
there probably isn't anything really interesting an attacker would want from a BBS machine
anyway.

Other than to get on to it and install rootkits and use it as a platform to run DoS attacks.

That's a very good point. I don't know just how much could be accomplished from a regular user account, but at the very least spam
email could easily be sent from a hacked user account. I had an ip address from Korea trying to bruteforce my smtp server just
yesterday.

---
þ Synchronet þ The 5th Dimension: the5thd.synchro.net

Re: SSH
By: bcw142 to All on Tue Mar 08 2016 10:50 am

Seems like it's overkill to me. I'm on ssh to my house then telnet to here (cyberia). It's for anyone to read so why would I do ssh? The other thing is, so you require ssh (really will cut down the callers) you have multi-bbs chat and games how are you going to encrypt that? Where will it stop, when you have no one calling anymore?
SSH is fine and works well, forwards X and all (as did telnet) but it's overkill for a BBS in general. It cuts communications on something your trying to increase communications with. Just my quick two paragraphs worth ;)

As mentioned previously, even a hacked user account can be used for at least some malicious/illegal/mischievous activity such as
sending out spam email. Even trying to prevent that is a valid reason for taking security seriously. Quite frankly, one of the
reasons there have been some many security breaches and security-related problems is because of this lazy attitude about security.
There are essentially two options: switch to a more secure protocol (like ssh) or implement security measures on top of the older,
inscure protocol. Switching to a newer, inherently secure protocol is easier on the sever/admin side; implementing security
measures on top of older, insecure protocols is easier on the on user side, but someone still has to implement the protocol in the
client software.

The idea that security on the internet is unimportant -- even on the humble BBS -- is naivete, pure and simple. I think that within
a few decades, barring interference from oppressive governments, secure communication will finally become the norm, and people will
look back on this period in history and see us as naive and stupid for not taking it seriously.

---
þ Synchronet þ The 5th Dimension: the5thd.synchro.net

Re: SSH
By: Denn to Nightfox on Tue Mar 08 2016 07:56 am

On my BBS I use router rules to open only ports I need on each computer on my network.
If an attacker gets in like you say there is not much he can get off my BBS machine.
Since my BBS machine runs Windows 7 32 bit I just use remote access.

I run an emby media server on the same machine as the BBS since neither one has high CPU requirements; they coexist just fine. So I
suppose if the BBS was hacked they could leech my movie collection. But that's not going to be very worthwhile at a 1 MB uplink.

---
þ Synchronet þ The 5th Dimension: the5thd.synchro.net

Re: Re: SSH
By: Nightfox to Mro on Mon Mar 07 2016 09:17 pm

if you're a sysop that's another opening you are making to get attacked on the internet. now you have a ssh port getting bruteforced.
just so 2 people maybe just maybe might use it a few times.

Maybe, but my BBS is all I really have on my BBS machine. To go along with your argument,
there probably isn't anything really interesting an attacker would want
from a BBS machine

yeah but the bruteforce attacks would slow everything down and prevent people from logging onto your nodes unless you have a large amount of nodes configured.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Darkwing to Nightfox on Mon Mar 07 2016 11:14 pm

Once I get Iniquity working on SSH I will absolutely disable telnet as an access method. If you're OK with cleartext across the 'net, then, well, you're just at a very different place than I am I guess hehe. That being said, I'm just happy I was able to ghetto-rig Iniquity online at all.

if you are on the internet you are dealing with that shit whether you like it or not. we've found out over the years that some of these big online services were not storing our information in a secure encrypted format. these were sites that had https and capcha and other bullshit. what about man in the middle attacks as well.

security is an illusion.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Darkwing to Mro on Mon Mar 07 2016 11:16 pm

you have to factor in the risks. you shouldnt even be using synchronet if you are so demanding of security because the passswords are stored in plain text.

Local access to the system is way different than deciding every
network your traffic passes through with full pcap is welcome to capture your data in cleartext.

like i said, security is just an illusion to make people sleep well at night. ---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Darkwing to Mro on Mon Mar 07 2016 11:19 pm

Re: SSH
By: Mro to Nightfox on Sun Mar 06 2016 11:02 pm

i dont think anybody gives a fuck what joe blow is doing in l.o.r.d on
my bbs.

And this is the attitude that is best to have. Let's face it, if the fedz want to own your PC, your'e getting owned, unless you permanently disconnect from the 'net. It doesn't really bother me, because at the end of the day, I'm just not that interesting. I'm not a target for the fedz unreleased 0day because they wouldn't bother wasting it on me.

right, what we know about and what gets reported is somewhat scary. so lets look at the fact that the media has no real clue and there's so much stuff we don't even know about. when you catch a criminal that possibly is just one time out of a hundred crimes they've committed.

our government and other countries get away with anything they want pretty much. there's only a handful of people with the balls enough to talk.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Hello Hustler!

In a message to All <09/03/20> Hustler wrote:

Why don't all BBS Sysops offer SSH? I thought telnet was
supposed to be very insecure?

Because not ALL BBS packages offer that ability.

... Platinum Xpress...The totally cool way to do mail!
---
þ wcGATE 4.2 ÷ DoveNet | Neptune's Lair 2 | Memphis TN | r13.winserver.org

Hello Hustler!

In a message to Doctor Who <09/03/20> Hustler wrote:

I asked because security seems to be a major issue these
days. I don't have a problem with telent because I don't do
anything on a BBS that's even close to illegal. It just
seems to me a BBS offering SSH connections would be more of
a draw for users. Especially paranoid users. Of all the
board I'm on I can only connect to 3 using SSH. I was just
curious as to why so many others don't have it set up. I
agree could security should be practiced by everyone.

Then again, not everyone knows about client programs like puTTY
and such.

... Platinum Xpress...Your Cat will never be the same!
---
þ wcGATE 4.2 ÷ DoveNet | Neptune's Lair 2 | Memphis TN | r13.winserver.org

Hello Mro!

In a message to Doctor Who <09/03/20> Mro wrote:

you guys spend so much time thinking about security. worry
about getting some fucking users first.

Aye, here is the rub :)

... Power beyond the WILDest of CATS!...Platinum Xpress!
---
þ wcGATE 4.2 ÷ DoveNet | Neptune's Lair 2 | Memphis TN | r13.winserver.org

Hello Vk3jed!

In a message to Nightfox <09/03/20> Vk3jed wrote:

Agree, it is good practice. Synchronet has SSH capability,
so why not use it. I'm not aure why others are having
problems enabling SSH, mine worked out of the box (other
than the port change I mentioned).

I refer back to my original posting -- not ALL BBS packages
support it.

... John Wayne would have used Platinum Xpress!
---
þ wcGATE 4.2 ÷ DoveNet | Neptune's Lair 2 | Memphis TN | r13.winserver.org

Hello Mro!

In a message to Vk3jed <09/03/20> Mro wrote:

here's another angle. some people dont want to be forced to
use another client when they have a client they enjoy.

i prefer mtelnet for windows. so do a few other people i
know. i'm not sure if netrunner supports ssh now, i'm not a
fan of it. ---

I agree. I use mTel both here on this OS/2 VM as well as on all
my linux machine. It just works better (maybe because it's been
around so much longer).

... Platinum Xpress! It's hot!
---
þ wcGATE 4.2 ÷ DoveNet | Neptune's Lair 2 | Memphis TN | r13.winserver.org

Hello Darkwing!

In a message to Nightfox <09/03/20> Darkwing wrote:

Once I get Iniquity working on SSH I will absolutely disable
telnet as an access method. If you're OK with cleartext
across the 'net, then, well, you're just at a very different
place than I am I guess hehe. That being said, I'm just
happy I was able to ghetto-rig Iniquity online at all.

And THEN watch how many users you get.

... Platinum Xpress and Wildcat!......Nice!
---
þ wcGATE 4.2 ÷ DoveNet | Neptune's Lair 2 | Memphis TN | r13.winserver.org

Hello Darkwing!

In a message to Mro <09/03/20> Darkwing wrote:

Now this is a much better point... I love mtel too, but
switched to syncterm as I primarily use OSX now. It's a
pretty sweet terminal. I think I liked the ANSI feel of
mtel a bit more, but it only runs in windows (a vm for me)
which is a bummer. At least with the availability and
quality of syncterm I'd be OK with disabling telnet and
requiring SSH on my board.

Actually, to correct you, mTel runs in a platform other that
Windows, too. Most people nowadays do not realize that mTel was
not originally written for Windows. :)

... Get your CAT! on a Platinum Server today...FREQ PX13TD.ZIP!
---
þ wcGATE 4.2 ÷ DoveNet | Neptune's Lair 2 | Memphis TN | r13.winserver.org

Re: SSH
By: Darkwing to Mro on Mon Mar 07 2016 11:16 pm

Re: SSH
By: Mro to Doctor Who on Sun Mar 06 2016 10:54 pm

you have to factor in the risks. you shouldnt even be using synchronet if you are so demanding of security because the passswords are stored in plain text.

Local access to the system is way different than deciding every network your traffic passes through with full pcap is welcome to capture your data in cleartext.

Just how many networks (with full pcap) do you think are between your client and my BBS? Sure, if your ISP (or your employer, if you're connecting through your work's network) has an interest (or a signed-warrant) to sniff your traffic, they could, but I don't see that happening at AT&T or Comcast just because some employee there is curious. Seems far fetched to me.

digital man

Synchronet "Real Fact" #63:
Synchronet PCMS (introduced w/v2.0) is Programmable Command and Menu Structure. Norco, CA WX: 55.7øF, 55.0% humidity, 15 mph ESE wind, 0.17 inches rain/24hrs

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net

ROBERT WOLFE wrote in a message to VK3JED:

I refer back to my original posting -- not ALL BBS packages
support it.

ssh over here to see a DOS BBS package on SSH. Granted the Matrix that answers doesn't do everything it used to, but it will still connect you to the BBS.

Shawn
... Breast Self-Examination by phone: Press 1. Now press the other.
--- timEd 1.10.y2k+
* Origin: Tiny's Trailer (723:1/2.1)
þ Synchronet þ thePharcyde_ telnet://bbs.pharcyde.org (Wisconsin)

you have to factor in the risks. you shouldnt even be using synchronet if you are so demanding of security because the passswords are stored in plain text.

Local access to the system is way different than deciding every network your traffic passes through with full pcap is welcome to capture your data in cleartext.

like i said, security is just an illusion to make people sleep well at night.

So we're better off with no security at all?

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: SSH
By: ROBERT WOLFE to HUSTLER on Wed Mar 09 2016 12:14 am

Why don't all BBS Sysops offer SSH? I thought telnet was
supposed to be very insecure?

I offer SSH, Only to myself though lol, Most of the stuff on my BBS is free from the FTP server and the BBS, as for steling personal info from my BBS the most anyone could walk away with are user names and passwords.
I dont ask for phone #'s or street addresses, I don't even make people use their real names.

---
þ Synchronet þ The Outwest BBS - outwestbbs.com - Door Games - files -Dove-net

Re: SSH
By: Hustler to Nightfox on Mon Mar 07 2016 08:12 am

Why don't all BBS Sysops offer SSH? I thought telnet was supposed to
be very insecure?

HusTler

For one because I've always used SSH as a way into my home systems remotely, not the BBS. I really logon remotely using SSH then use nodespy (Mystic) to work on and view the BBS and other BBS. I don't think Mystic is setup for SSH, I think that's still a thing to possibly do. If it gets to be a problem it will likely be added. The real problem is DoS attacks, but so far they are only tying up the first node and not hammering on all nodes. SSH isn't going to change that at all.

---
þ Synchronet þ The Outwest BBS - outwestbbs.com - Door Games - files -Dove-net

Re: SSH
By: Doctor Who to bcw142 on Tue Mar 08 2016 10:12 pm

The idea that security on the internet is unimportant -- even on the humble BBS -- is naivete, pure and simple. I think that within
a few decades, barring interference from oppressive governments, secure communication will finally become the norm, and people will
look back on this period in history and see us as naive and stupid for not taking it seriously.

It's not really that security isn't important - all BBS are setup to repel most attachs and setup with at least names and passwords to keep the spamers out if we can. Secure telnet/rlogin isn't common in clients and SSH isn't on all BBS software yet (Mystic for example). Who knows what the future will really bring, Global Thermonuclear War anyone? That will make it moot.

---
þ Synchronet þ The Outwest BBS - outwestbbs.com - Door Games - files -Dove-net

Re: Re: SSH
By: Mro to Nightfox on Tue Mar 08 2016 10:49 pm

yeah but the bruteforce attacks would slow everything down and prevent people from logging onto your nodes unless you have a large amount of nodes configured.

Doesn't seem to be a real problem, I do get a number of them these days, but I logon externally with little problem even on a raspberry pi (which is a pretty slow machine generally). It's taking the DoS machines time to keep that up too so they give up after a while.

---
þ Synchronet þ The Outwest BBS - outwestbbs.com - Door Games - files -Dove-net

Re: Re: SSH
By: ROBERT WOLFE to DARKWING on Wed Mar 09 2016 12:24 am

pretty sweet terminal. I think I liked the ANSI feel of
mtel a bit more, but it only runs in windows (a vm for me)

Actually, to correct you, mTel runs in a platform other that
Windows, too. Most people nowadays do not realize that mTel was
not originally written for Windows. :)

yes, dink was a windows hater.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Nightfox to Mro on Wed Mar 09 2016 08:50 am

like i said, security is just an illusion to make people sleep well at night.

So we're better off with no security at all?

who's saying that
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Denn to ROBERT WOLFE on Fri Mar 11 2016 10:17 pm

Re: SSH
By: ROBERT WOLFE to HUSTLER on Wed Mar 09 2016 12:14 am

Why don't all BBS Sysops offer SSH? I thought telnet was
supposed to be very insecure?

I offer SSH, Only to myself though lol, Most of the stuff on my BBS is free from the FTP server and the BBS, as for steling personal info from my BBS the most anyone could walk away with are user names and passwords.
I dont ask for phone #'s or street addresses, I don't even make people use their real names.

would be nice however if synchronet didnt store a lot of its information in plain text. there could be another exploit and someone can bust right in.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Mro to Nightfox on Sat Mar 12 2016 12:54:59

like i said, security is just an illusion to make people sleep well
at night.

So we're better off with no security at all?

who's saying that

I suppose I wasn't really sure what you meant by your comment about security being an illusion to make people sleep well at night. Seems to me that some security would be better than nothing.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Why don't all BBS Sysops offer SSH? I thought telnet was supposed to
be very insecure?

It's all relative... You'd have to control one of the routers/networks in between the user and the server to snoop on traffic. Since most activity on most BBSes is public, the additional security of SSH isn't necessarily warranted.

Beyond that, depending on the BBS software you are using, setting up SSH can
be somewhat difficult or cumbersome to say the least.

--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

---
þ Synchronet þ RoughneckBBS - http://www.roughneckbbs.com/

It's all relative... You'd have to control one of the routers/networks in between the user and the server to snoop on traffic. Since most activity on most BBSes is public, the additional security of SSH isn't necessarily warranted.

SSH can still protect a user's password from being sent in the clear though. Some users may or may not care about that.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Why don't all BBS Sysops offer SSH? I thought telnet was supposed to be
very insecure?

so what if it's insecure. nobody is doing anything illegal on my bbses.

it's convenience. i have rlogin, ssh, etc but nobody uses it. they all
prefer telnet.

Beyond that, not all telnet clients support ssh...
--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

---
þ Synchronet þ RoughneckBBS - http://www.roughneckbbs.com/

I take security very seriously. And, contrary to the opinions of
others, it doesn't matter if you are doing anything illegal or not.
Good security should be a standard practice, You wouldn't mail a
letter without an envelope, would you?

Sure, it's called a post-card... ;-)

Again, it's all about context.. and I'm as security minded as anyone... just saying that the level of security depends on the context... not to mention,
as I said earlier, many telnet bbs clients don't support ssh, and many SSH clients won't properly interpret ANSI-BBS colors and character sets.
--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

---
þ Synchronet þ RoughneckBBS - http://www.roughneckbbs.com/

I asked because security seems to be a major issue these days. I don't
have a problem with telent because I don't do anything on a BBS that's
even close to illegal. It just seems to me a BBS offering SSH
connections would be more of a draw for users. Especially paranoid
users. Of all the board I'm on I can only connect to 3 using SSH. I
was just curious as to why so many others don't have it set up. I
agree could security should be practiced by everyone.

I'd like to see more using HTTPS, would be cool to see a module to integrate Let's Encrypt (ACME) into synchronet...
--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

---
þ Synchronet þ RoughneckBBS - http://www.roughneckbbs.com/

you have to factor in the risks. you shouldnt even be using synchronet
if you are so demanding of security because the passswords are stored
in plain text.

True enough... had thought about making the website the *real* frontend, and have a random generated "service" password that synchronet can have for the users to hit services directly... making it all mostly HTTP(S) based.

But, I'm lazy and unmotivated... though, I did update the web UI on my board, so that I can hit left/right arrow to navigate messages, and on the message posted screen, made the link take me back to the message replied to, and left/right/space on the replied screen will navigate to that link... much smoother using the web ui now (the older one)...

One of these days I'll get around to making my own.

--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

---
þ Synchronet þ RoughneckBBS - http://www.roughneckbbs.com/

if they are using the same password on someone's bbs as they are on their bank's website, let them lose all their shit. they're retarded.

Also, most banks use 2fa... now, if you're using your BBS account as your
main email account, I can't help you there...

--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

---
þ Synchronet þ RoughneckBBS - http://www.roughneckbbs.com/

Now this is a much better point... I love mtel too, but switched to
syncterm as I primarily use OSX now. It's a pretty sweet terminal.
I think I liked the ANSI feel of mtel a bit more, but it only runs
in windows (a vm for me) which is a bummer. At least with the
availability and quality of syncterm I'd be OK with disabling telnet
and requiring SSH on my board.

I find this whole conversation about why encrypt communications very interesting =)

Have you tried it under WINE? Would be semi-surprised if it didn't work.

--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

---
þ Synchronet þ RoughneckBBS - http://www.roughneckbbs.com/

security is an illusion.

I'd given some thought to this... The idea being a crypto service that only internal servers can access, and only via specific ports... each server/app would have a client key... in order to make a request, it would be over TLS, using the client key, then a single record/field could be decrypted.

Although that would only serve for fields you aren't going to search on...
the system in question was for storing credit card information, the
separation of service, database, and the crypto service/methodology, would yeild much greater security.

In the end, it depends on what you're trying to secure, and how you're trying to secure it, and for what reason... you have to be a bit creative and
paranoid to think through these types of systems.

--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

---
þ Synchronet þ RoughneckBBS - http://www.roughneckbbs.com/

Just how many networks (with full pcap) do you think are between your
client and my BBS? Sure, if your ISP (or your employer, if you're
connecting through your work's network) has an interest (or a signed- warrant) to sniff your traffic, they could, but I don't see that
happening at AT&T or Comcast just because some employee there is
curious. Seems far fetched to me.

Can't speak for anyone else, but at work I have to SSH through the corporate proxy/firewall, so they can see it all, and even then most hosts are
blocked...

I just wish they'd unblock github gists... too many references to them
anymore.

--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

---
þ Synchronet þ RoughneckBBS - http://www.roughneckbbs.com/

Re: SSH
By: Nightfox to tracker1 on Sun Mar 13 2016 06:33 pm

It's all relative... You'd have to control one of the routers/networks in between the user and the server to snoop on traffic. Since most activity on most BBSes is public, the additional security of SSH isn't necessarily warranted.

SSH can still protect a user's password from being sent in the clear
though. Some users may or may not care about that.

yeah but if you are running synchronet all these passwords are STORED in plain text. that means if there's an exploit someone gets everyone's passwords and information.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Hustler to All on Sat Mar 05 2016 07:37 am

Why don't all BBS Sysops offer SSH? I thought telnet was supposed to be very insecure?

HusTler

I just prefer Telnet through Telemate on my DOSBox. Brings back fond memories..

Jeff

---
þ Synchronet þ Mordor - casper.homeip.net

Re: SSH
By: HusTler to Doctor Who on Sun Mar 06 2016 01:39 am

I asked because security seems to be a major issue these days. I don't have problem with telent because I don't do anything on a BBS that's even close t illegal. It just seems to me a BBS offering SSH connections would be more of draw for users. Especially paranoid users. Of all the board I'm on I can onl connect to 3 using SSH. I was just curious as to why so many others don't ha it set up. I agree could security should be practiced by everyone.

What would someone do on a BBS anyway? Illegally copy all the freeware or shareware software that is on the BBS? Maybe there might be a possibility of a hacker getting onto the OS?

Just, keep it secure from who exactly?

Jeff

---
þ Synchronet þ Mordor - casper.homeip.net

SSH can still protect a user's password from being sent in the clear
though. Some users may or may not care about that.

yeah but if you are running synchronet all these passwords are STORED in plain text. that means if there's an exploit someone gets everyone's passwords and information.

True but that's a separate issue.. With SSH, at least the user's password is protected from
people snooping on the network activity.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

What would someone do on a BBS anyway? Illegally copy all the freeware or shareware software that is on the BBS? Maybe there might be a possibility of a hacker getting onto the OS?

Just, keep it secure from who exactly?

From people who might want to get users' passwords which are sent in the clear over telnet..

An analogy might be web-based forum sites. The stuff there is basically all public but they
likely use secure login mechanisms so that users' passwords aren't sent in the clear.

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: SSH
By: Jeff Friend to HusTler on Mon Mar 14 2016 01:37 pm

What would someone do on a BBS anyway? Illegally copy all the freeware or shareware software that is on the BBS? Maybe there might be a possibility
of a hacker getting onto the OS?

Just, keep it secure from who exactly?

i think what starts a lot of this talk is this:

sysop posts about his "retro" bbs in his online hangout or some forum or slashdot.

guy who wouldnt visit anyways looks on wikipedia and then posts about how flawed telnet is and says he would never visit a system that is not secure.

sysop complies and nothing ever comes of it.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Nightfox to Mro on Mon Mar 14 2016 07:33 am

yeah but if you are running synchronet all these passwords are STORED in plain text. that means if there's an exploit someone gets
everyone's passwords and information.

True but that's a separate issue.. With SSH, at least the user's password is protected from
people snooping on the network activity.

ah well, if they are going to try that hard, let 'em have it.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: SSH
By: Nightfox to Jeff Friend on Mon Mar 14 2016 07:37 am

Just, keep it secure from who exactly?

From people who might want to get users' passwords which are sent in the clear over telnet..

An analogy might be web-based forum sites. The stuff there is basically
all public but they
likely use secure login mechanisms so that users' passwords aren't sent in the clear.

are computer criminals even doing shit like this nowadays when it's easier to just have your gf call pretending to be this guy's wife so you can get back into his account while he is stranded in africa?

or instead of getting this guy's password from your bbs and trying it on every bank site they can instead use an exploit that works with the software the sites are using?
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: Re: SSH
By: tracker1 to HusTler on Sun Mar 13 2016 06:34 pm

I'd like to see more using HTTPS, would be cool to see a module to integrate Let's Encrypt (ACME) into synchronet...

I'm looking into it... that ACME spec is insane though.

---
http://DuckDuckGo.com/ a better search engine that respects your privacy.
Mro is an idiot. Please ignore him, we keep hoping he'll go away.
þ Synchronet þ My Brand-New BBS (All the cool SysOps run STOCK!)

Re: SSH
By: Nightfox to Jeff Friend on Mon Mar 14 2016 07:37 am

From people who might want to get users' passwords which are sent in the cle over telnet..

An analogy might be web-based forum sites. The stuff there is basically all public but they
likely use secure login mechanisms so that users' passwords aren't sent in t clear.

Just to me, getting a password from a BBS is useless. Mostly because I have multiple passwords and never use tthe same one in a different place.

Just my opinion.

jeff

---
þ Synchronet þ Mordor - casper.homeip.net

From people who might want to get users' passwords which are sent in
the cle over telnet..

An analogy might be web-based forum sites. The stuff there is
basically all public but they
likely use secure login mechanisms so that users' passwords aren't
sent in t clear.

Just to me, getting a password from a BBS is useless. Mostly because I have multiple passwords and never use tthe same one in a different place.

Just my opinion.

Well yeah. But what if someone gets your BBS password, then logs into your BBS account and posts messages pretending to be you, etc.?

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

I'd like to see more using HTTPS, would be cool to see a module to
integrate Let's Encrypt (ACME) into synchronet...

I'm looking into it... that ACME spec is insane though.

I know...

--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

---
þ Synchronet þ RoughneckBBS - http://www.roughneckbbs.com/

Re: Re: SSH
By: tracker1 to HusTler on Sun Mar 13 2016 06:34 pm

I'd like to see more using HTTPS, would be cool to see a module to integrate Let's Encrypt (ACME) into synchronet...
--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

A few weeks ago, Deuce mentioned the possibility of doing just that. Even without built-in support, it's not too hard to implement Let's Encrypt. I set up a Haiawatha reverse proxy and installed a Let's Encrypt certificate for Haiawatha. So basically Haiawtha handles the SSL connection and forwards the connection to the synchronet webserver. Synchronet's webserver can do SSL, but with a Let's Encrypt certificate, users won't get a warning about the validity of the website (since Synchronet's certificate is self-signed). Those warnings could scare off some people who don't understand exactly what the warning means. I also posted a Haiawatha howto on the Synchronet wiki if anyone else wants to try it.

---
þ Synchronet þ The 5th Dimension: the5thd.synchro.net

A few weeks ago, Deuce mentioned the possibility of doing just that.
Even without built-in support, it's not too hard to implement Let's
Encrypt. I set up a Haiawatha reverse proxy and installed a Let's
Encrypt certificate for Haiawatha. So basically Haiawtha handles
the SSL connection and forwards the connection to the synchronet
webserver.

I know that, I'm usually running SBBS behind a reverse proxy... right now,
IIS, but I haven't setup letsencrypt on it yet... it's easy enough to do, but many won't go farther than setting up sbbs, and have trouble even configuring their routers to forward ports properly.

--
Michael J. Ryan
tracker1(at)gmail.com
+o Roughneck BBS

---
þ Synchronet þ RoughneckBBS - http://www.roughneckbbs.com/