• Secure Telnet

    From fusion@21:1/100 to All on Fri Mar 26 16:19:41 2021
    I got telnet over SSL working and thought I'd share the details since the
    next official release of SyncTERM looks like it's going to support it. For
    now we can use "stunnel" since the only BBS I've heard of that supports it natively is BBBS.

    Unfortunately there isn't an official 32-bit release anymore (and a lot of us are on 32-bit for the dos support!) but luckily this nice fellow here
    compiled and packaged up a 32-bit version for us:

    https://github.com/josealf/stunnel-win32

    I used the file "stunnel-testing-win32-installer.exe"

    After install, you will be asked to create a certificate for the SSL connections. If you haven't done so before, it asks you a series of questions:

    Country (US, NZ, etc)
    State
    City or Province
    Organization (I used the BBS name without "BBS" on the end)
    Organization Unit: BBS
    Common Name, domain, etc: throw in something like sslbbs.synchro.net or whatever you use for your bbs
    Email: yep.

    For Windows 7 and up, you won't have permission to directly edit the config file since it's in the "C:\Program Files" folder. You can either start up a command prompt as administrator and edit there, or copy it, edit it, and replace it with Windows Explorer (it should ask for authorization and show
    the little shield or whatever.)

    The config file has quite a few examples, but to make this easy, you can
    simply delete all but one and modify it:

    [bbs]
    accept = 992
    connect = 23
    cert = stunnel.pem

    Note that since stunnel redirects connections from port 992 to port 23, they will show up as if they're connected locally! If your BBS features anti-connection-spam (like Mystic) you should make sure 127.0.0.1 is included in the whitelisted IP addresses file. You will have to match timestamps with the stunnel log if you need to find a specific user..

    Open port 992 on your firewall and you should be all set :)

    In SyncTERM, you will have to edit your connection (F2) and change the connection type to "TelnetS". As previously mentioned, it should be included
    in the NEXT release of SyncTERM, so for now you will have to use the test versions linked at the very bottom of the SyncTERM web page.

    Hopefully someone finds this useful and it gets more widely adopted directly
    in BBS software!

    -------------------------------------------------------------------------------

    For security minded folk: it doesn't look like certificate verification is common even in the clients that have had this feature for a long time.. mostly mainframe stuff. You can however use openssl to view the server's certificate information with:

    openssl s_client -connect mysuperbbs.com:992

    If you want to get a legitimate certificate, LetsEncrypt is free, and is
    fairly easy to automate updates for with Windows' task scheduler. In which
    case openssl should show:

    verify return:1

    at each step as it walks the certificate chain.

    --- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi
  • From fusion@21:1/616 to fusion on Sun Mar 28 05:41:28 2021
    On 26 Mar 2021, fusion said the following...

    I got telnet over SSL working and thought I'd share the details since the

    well, i had hoped it would allow me to edit this slightly instead of a direct-forward but .. d'oh. i also have posted this on DOVE-Net previously. thought it might be handy for somebody ;)

    --- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)
  • From Al@21:4/106.1 to fusion on Sun Mar 28 05:09:58 2021
    Re: Secure Telnet
    By: fusion to All on Fri Mar 26 2021 04:19 pm

    I got telnet over SSL working and thought I'd share the details since the next official release of SyncTERM looks like it's going to support it. For now we can use "stunnel" since the only BBS I've heard of that supports it natively is BBBS.

    I noticed a new telnets option in SyncTERM 1.2a recently so I gave your BBS a call with telnets. It seemed to work well and I was able to connect and see your login screen.

    I'm a little short on time ATM or I'd log in proper for a visit but I will likely do that at some point.

    But anyway, I just had a quick look but it seemed to work at cfbbs.net.. :)

    Ttyl :-),
    Al

    ... A camel is a horse planned by committee.
    --- SBBSecho 3.14-Linux
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)
  • From fusion@21:1/616 to Al on Sun Mar 28 08:28:14 2021
    On 28 Mar 2021, Al said the following...

    But anyway, I just had a quick look but it seemed to work at cfbbs.net..

    right on. yeah i suppose it'd be a bit silly to make a writeup for it and
    then not use it myself :)

    --- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)
  • From NuSkooler@21:1/121 to fusion on Sun Mar 28 12:09:33 2021

    fusion around Friday, March 26th...
    In SyncTERM, you will have to edit your connection (F2) and change the connection type to "TelnetS". As previously mentioned, it should be included in the NEXT release of SyncTERM, so for now you will have to use the test versions linked at the very bottom of the SyncTERM web page.

    What's the rationale behind using TelnetS over SSH? As far as I'm aware the RFC never made it out of draft whereas of course SSH is widely adopted.



    --
    |08 ■ |12NuSkooler |06// |12Xibalba |08- |07"|06The place of fear|07"
    |08 ■ |03xibalba|08.|03l33t|08.|03codes |08(|0344510|08/|03telnet|08, |0344511|08/|03ssh|08)
    |08 ■ |03ENiGMA 1/2 WHQ |08| |03Phenom |08| |0367 |08| |03iMPURE |08| |03ACiDic
    --- ENiGMA 1/2 v0.0.12-beta (linux; x64; 14.15.4)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From Zip@21:1/202 to Al on Sun Mar 28 21:39:29 2021
    Hello Al!

    On 28 Mar 2021, Al said the following...
    I noticed a new telnets option in SyncTERM 1.2a recently so I gave your BBS a call with telnets. It seemed to work well and I was able to
    connect and see your login screen.

    If you have time, could you please try scbbs.nsupdate.info:50992 (custom port), too? Just to see if you get to the login screen...

    I haven't gotten around to upgrading my SyncTERM on Windows to 1.2 yet, but I'm hoping to do so soon.

    Many thanks in advance!

    Best regards
    Zip

    --- Mystic BBS v1.12 A47 2021/02/12 (Linux/64)
    * Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)
  • From Zip@21:1/202 to fusion on Sun Mar 28 21:48:17 2021
    Hello fusion!

    On 26 Mar 2021, fusion said the following...
    I got telnet over SSL working and thought I'd share the details since the next official release of SyncTERM looks like it's going to support it.
    For now we can use "stunnel" since the only BBS I've heard of that supports it natively is BBBS.

    Thanks for the tip! A nice addition to the connection options! :)

    I thought I'd share some additional stunnel options that I'm giving a try here:

    ; CUSTOM: Allow binding to an IP address that is nonlocal or does not (yet) exist; see ip(7)
    ; NOTE: This might help if stunnel starts up before network interfaces are fully configured; in any case, it won't hurt
    socket = a:IP_FREEBIND=yes

    ; CUSTOM: Only allow TLSv1.2 and higher
    sslVersion = all
    options = NO_SSLv2
    options = NO_SSLv3
    options = NO_TLSv1
    options = NO_TLSv1.1

    ; CUSTOM: Only allow ciphers that are still considered secure (for TLSv1.2 and below)
    ; NOTE: Using OpenSSL 1.1.1d here, which has CAMELLIA
    ciphers = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECD
    H+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!E XP:!PSK:!SRP:!DSS:!RC4:!SSLv3:!TLSv1:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA 256:!DHE-RSA-CAMELLIA128-SHA256:!DHE-RSA-CAMELLIA256-SHA256:!ECDHE-RSA-AES128-S HA256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-CAMELLIA128-SHA256:!ECDHE-RSA-CAMELLI A256-SHA384

    ; CUSTOM: When choosing a cipher, use the server's preferences instead of the client preferences (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html)
    options = CIPHER_SERVER_PREFERENCE

    ; CUSTOM: Disable TLS renegotiation to mitigate DoS attacks
    renegotiation = no

    ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE
    options = SINGLE_DH_USE

    ; CUSTOM: Delay DNS lookup for the connect option
    delay = yes

    And, for the actual service:

    ; NOTE: Set to > Mystic BBS configuration (mystic -cfg) --> Configuration --> General Settings --> Inactivity
    TIMEOUTidle = 7210

    Hopefully some of these can be useful.

    Best regards
    Zip

    --- Mystic BBS v1.12 A47 2021/02/12 (Linux/64)
    * Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)
  • From fusion@21:1/616 to NuSkooler on Sun Mar 28 16:43:34 2021
    On 28 Mar 2021, NuSkooler said the following...

    What's the rationale behind using TelnetS over SSH? As far as I'm aware the RFC never made it out of draft whereas of course SSH is widely adopted.

    i'm not quite as fond of how ssh handles the login for a bbs. apparently the next syncterm also includes a username/passwordless ssh login so bbses that ignore incorrect login info can just go about their business (user won't need to know to put in bbs/bbs, or even that they might need to put in a bs
    password to create an account over ssh instead) so i'm sure that'll be a plus too.

    not really a huge deal by any stretch. but i'm not hurting for cpu cycles ;)

    --- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)
  • From fusion@21:1/616 to Zip on Sun Mar 28 16:56:30 2021
    On 28 Mar 2021, Zip said the following...

    ; CUSTOM: Only allow ciphers that are still considered secure (for
    TLSv1.2 and below)

    Hopefully some of these can be useful.

    awesome. yeah i'm guessing syncterm uses cryptlib like synchronet does. hopefully it doesn't get back that list of restrictions and bail out lol.
    i'll give it a shot here when i'm not bbsing from my phone..

    --- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)
  • From Al@21:4/106.1 to Zip on Sun Mar 28 15:18:20 2021
    Re: Re: Secure Telnet
    By: Zip to Al on Sun Mar 28 2021 09:39 pm

    If you have time, could you please try scbbs.nsupdate.info:50992 (custom port), too? Just to see if you get to the login screen...

    Yep, your BBS answers and looks good.

    I haven't gotten around to upgrading my SyncTERM on Windows to 1.2 yet, but I'm hoping to do so soon.

    Looks good here on my linux64 box.. :)

    Ttyl :-),
    Al

    ... Cursor: An expert in four-letter words
    --- SBBSecho 3.14-Linux
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)
  • From Al@21:4/106.1 to NuSkooler on Sun Mar 28 18:48:07 2021
    Re: RE: Secure Telnet
    By: NuSkooler to fusion on Sun Mar 28 2021 12:09 pm

    What's the rationale behind using TelnetS over SSH?

    I don't think there is a good reason to use telnets over ssh. There is a reason to use telnets over telnet.

    As far as I'm aware the RFC never made it out of draft whereas of course SSH is widely adopted.

    I never knew telnets never moved beyond the draft stage and I don't know why that is. Duece's reason for adding telnets was to support BBSs that use it if I read his comment right.

    When I ran debian many years ago there was a telnet-ssl package you could install. If that package is still there (I'm not sure) it could make telnets easier to install and use.

    Ttyl :-),
    Al

    ... Should I or shouldn't I?... Too late, I did!
    --- SBBSecho 3.14-Linux
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)
  • From fusion@21:1/616 to Al on Mon Mar 29 02:49:20 2021
    On 28 Mar 2021, Al said the following...

    I never knew telnets never moved beyond the draft stage and I don't know why that is. Duece's reason for adding telnets was to support BBSs that use it if I read his comment right.

    well, unless we talk about starttls, which requires actual protocol handling
    in the "child" protocol, there isn't really much to it. the rfc would be
    quite boring really. "1) establish ssl connection. 2) carry out telnet connection over it". that's the only difference between https/http,
    imaps/imap, etc. too.

    --- Mystic BBS v1.12 A46 2020/08/26 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)
  • From Zip@21:1/202 to fusion on Mon Mar 29 12:25:29 2021
    Hello fusion!

    On 28 Mar 2021, fusion said the following...
    ; CUSTOM: Only allow ciphers that are still considered secure (for TLSv1.2 and below)

    Hopefully some of these can be useful.

    awesome. yeah i'm guessing syncterm uses cryptlib like synchronet does. hopefully it doesn't get back that list of restrictions and bail out lol.

    Just heard from Al that he tested it and it appears to work. :-)

    I guess this means that SyncTERM uses a modern version of cryptlib (not requiring CBC ciphers) which would otherwise cause the connection to fail...

    Best regards
    Zip

    --- Mystic BBS v1.12 A47 2021/02/12 (Linux/64)
    * Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)
  • From Zip@21:1/202 to Al on Mon Mar 29 12:26:07 2021
    Hello Al!

    On 28 Mar 2021, Al said the following...
    If you have time, could you please try scbbs.nsupdate.info:50992 (cus port), too? Just to see if you get to the login screen...

    Yep, your BBS answers and looks good.

    Thanks a lot! It is much appreciated!

    Best regards
    Zip

    --- Mystic BBS v1.12 A47 2021/02/12 (Linux/64)
    * Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)
  • From Digital Man to Zip on Mon Mar 29 18:24:54 2021
    Re: Re: Secure Telnet
    By: Zip to fusion on Mon Mar 29 2021 12:25 pm

    I guess this means that SyncTERM uses a modern version of cryptlib (not requiring CBC ciphers) which would otherwise cause the connection to fail...

    We patch/configure cryptlib to choose the ciphersuite preferences/requirements. --
    digital man

    Synchronet "Real Fact" #30:
    The COM I/O routines for Synchronet for DOS were written in ASM by Steve Deppe. Norco, CA WX: 72.0°F, 38.0% humidity, 6 mph NNE wind, 0.00 inches rain/24hrs
  • From Al@21:4/106.1 to fusion on Mon Mar 29 21:55:39 2021
    Re: Re: Secure Telnet
    By: fusion to Al on Mon Mar 29 2021 02:49 am

    well, unless we talk about starttls, which requires actual protocol handling in the "child" protocol, there isn't really much to it.

    We probably want to avoid starttls don't we?

    the rfc would be quite boring really. "1) establish ssl connection. 2) carry out telnet connection over it". that's the only difference between https/http, imaps/imap, etc. too.

    I am not really up on things network generally, especially the security side of things.

    The only thing I know id that I prefer to be secure than insecure.

    Ttyl :-),
    Al

    ... $$$ not found -- A)bort, R)efinance, D)eclare bankruptcy
    --- SBBSecho 3.14-Linux
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)
  • From Al@21:4/106.1 to Zip on Mon Mar 29 22:06:13 2021
    Re: Re: Secure Telnet
    By: Zip to fusion on Mon Mar 29 2021 12:25 pm

    I guess this means that SyncTERM uses a modern version of cryptlib (not requiring CBC ciphers) which would otherwise cause the connection to fail...

    I don't know Deuce well, in fact I don't see him around much anymore but he is heavily involved with Synchronet to this day. I see his commits in the Synchronet programming area regularly.

    I don't think he would feel badly if folks took his work and incorporated it into their own projects. It's open source and folks just need to give credit where credit is due.

    I've always thought it would be great if there was a place where people could get the stuff they need to be secure and the synchronet project might be a good place to do that.

    Probably want to get Deuce's OK to do that but I think he'd be pleased. He might even be willing to work on a generally available repo for that so other BBS projects have a place to goto for that and don't have to reinvent it all.

    Ttyl :-),
    Al

    ... Bug free, cheap, on time, works. Pick two.
    --- SBBSecho 3.14-Linux
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106.1)
  • From Zip@21:1/202 to Digital Man on Tue Mar 30 11:30:43 2021
    Hello Digital Man!

    On 29 Mar 2021, Digital Man said the following...
    We patch/configure cryptlib to choose the ciphersuite preferences/requirements.

    Sounds great! :)

    Best regards
    Zip

    --- Mystic BBS v1.12 A47 2021/02/12 (Linux/64)
    * Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)