|
Grex > Garage > #23: Telnetd removal from OpenBSD >= 3.8 and grex. | |
|
| Author |
Message |
| 25 new of 57 responses total. |
gull
|
|
response 19 of 57:
| 
Dec 28 20:30 UTC 2005 |
The problems listed in resp:18 are inherent with using a public
computer. They're not particular to SSH; it just doesn't solve them.
He's right, though, that you lose SSH's resistance to "man in the
middle" attacks this way. About all it protects you from, then, is
packet sniffing.
|
bhoward
|
|
response 20 of 57:
|
Dec 29 06:14 UTC 2005 |
Couldn't we package up a special release of this browser ssh client
to be downloadable from grex with grex's public host key preloaded
into it to address the man-in-the-middle problem?
|
tod
|
|
response 21 of 57:
|
Dec 29 06:57 UTC 2005 |
re #19
The problem is browser based SSH vs. host based telnet client has a miniscule
security enhancement but higher hinderance on the userbase.
|
cross
|
|
response 22 of 57:
|
Dec 29 15:18 UTC 2005 |
Well, I think that protecting against packet sniffing has a big advantage,
but the point of this whole thread is getting rid of telnet in favor of SSH
only. The fact of the matter is, despite the foot stamping of the OpenBSD
crowd, it's just not going to happen any time soon (not, as Todd points out,
until there are widely available SSH clients bundled with the major OS
vendors). So how does one support telnetd on an operating system that's
made it clear has no intention of doing it itself going forward? That's
what's at issue.
Personally, I'm rather sad to see them remove telnetd. Maybe I can see
them removing the non-encrypted, non-Kerberized versions, but it's a bummer
to me to see those go away.
|
gull
|
|
response 23 of 57:
|
Dec 29 19:36 UTC 2005 |
Does the FreeBSD port of telnetd compile on OpenBSD? I doubt FreeBSD
will be eliminating it any time soon.
|
bhoward
|
|
response 24 of 57:
|
Dec 30 05:02 UTC 2005 |
We grabbed the telnetd from 3.7 and recompiled that for 3.8 when we
did the upgrade. Until we decide to retire telnet access, I suggest
sticking with that for the time being.
|
steve
|
|
response 25 of 57:
|
Jan 3 05:51 UTC 2006 |
The issue isn't if telnetd will work with future versions of
OpenBSD or not. There are others doing what we did, so I'm not
too concerned about being able to run it. The real question is
how do we best do this. I think giving several months notice
about a telnet phase out is the way to go, along with a web
page here explainging how to get ssh clients for Windows/MacOS.
|
cross
|
|
response 26 of 57:
|
Jan 3 15:40 UTC 2006 |
That sounds reasonable.
|
remmers
|
|
response 27 of 57:
|
Jan 4 16:47 UTC 2006 |
Re #25: Mac OS X comes with an ssh client.
|
bhoward
|
|
response 28 of 57:
|
Jan 12 09:22 UTC 2006 |
I get a lot of "helper" write sessions and just got a relevant one
today. Person logged in, wanted to be able to sign in with ssh but
didn't have a clue about unix/linux -- did not know what a shell
is, how to edit a file, make a directory but he did know about
putty...apparently was using it with other systems though how, I
don't know.
We will need to have clear instructions on how to locate and/or
generate your public key under putty and have a dead simple way for
them to cut-n-paste it to something that will properly configure
their .ssh/authorized* files.
Based on my conversation just now, this is something we will need
to transition very carefully and slowly. I would not want to scare
away non-technical users or those lacking exposure to unix. The
first of those two groups are often the ones that make the best
conferencing participants!
|
cross
|
|
response 29 of 57:
|
Jan 12 15:16 UTC 2006 |
Why not just start with passwords under PuTTY?
|
gull
|
|
response 30 of 57:
|
Jan 14 02:28 UTC 2006 |
I agree with resp:29. I wouldn't expect users to start using public
key authentication right off the bat. Most people don't need that
level of security, and most SSH clients lack a point-and-click way to
do it.
|
eteepell
|
|
response 31 of 57:
|
Jan 6 00:22 UTC 2007 |
I'm of the opinion to keep the telnetd going until major OS's ship with SSH
in the base system. I like the idea of security but not at the expense of
causing troubles for newbies. In my circumstance I am often on grex at work,
which uses Windows, and which has a corporate policy of not allowing
installation of software of company computers (see my point?), a web based
solution, like a java ssh would be nice, then theres the pesky surfcontrol
|
maus
|
|
response 32 of 57:
|
Jan 7 00:50 UTC 2007 |
Can you execute a third-party command if it does not require
installation? If so, look into putty. You can have full ssh capabilities
with 2 files without having to install anything. As another alternative,
I think you can download MindTerm for free if you just want it for
personal use. You can then simply execute "java -jar mindterm.zip
cyberspace.org".
|
denise
|
|
response 33 of 57:
|
Jan 23 23:24 UTC 2007 |
Maybe a bit late in the discussion, I do hope telnet stays for awhile for us
non-techies on board. Though I've heard of ssh here, I have absolutely no idea
what that [or putty] is. So an easy, non-techie based option for being on
grex would be cool. :-)
|
nharmon
|
|
response 34 of 57:
|
Jan 24 01:12 UTC 2007 |
Denise, I would say that using PuTTY is actually less "techie" than
using Windows telnet to access Grex.
Download a copy of PuTTY and give it a try.
|
cross
|
|
response 35 of 57:
|
Jan 24 16:03 UTC 2007 |
I agree with nharmon; PuTTY is actually easier to use than Windows telnet.
Grab a copy from here: http://www.putty.nl/latest/x86/putty-0.58-installer.
exe
and give it a whirl....
|
denise
|
|
response 36 of 57:
|
Jan 24 22:54 UTC 2007 |
What IS putty? Or does it explain what it is on the web site? I guess its
just something that I haven't ever been exposed to [but am willing to try and
learn].
|
cross
|
|
response 37 of 57:
|
Jan 24 23:57 UTC 2007 |
In a nutshell, PuTTY is a "terminal program" that allows you to connect to
remote systems (like grex) over the Internet. It provides a superset of the
functionality of Windows telnet, which you might currently be using to connect
to grex.
|
denise
|
|
response 38 of 57:
|
Jan 25 03:33 UTC 2007 |
Ok, thanks. I'll definitely check it out sometime in the next day or two when
I have a bit more time. :-)
|
remmers
|
|
response 39 of 57:
|
Jan 25 17:30 UTC 2007 |
In circumstances where I've been forced to use Windows, I used PuTTY a
lot for connecting to systems with a terminal interface. Definitely
recommended.
One downside was non-standard copy-paste behavior (borrowed from X
Windows, if I recall correctly) that could have unfortunate consequences
if you weren't aware of it. I don't recall the exact details - it's
been a few years - and maybe it's been fixed.
|
nharmon
|
|
response 40 of 57:
|
Jan 25 17:42 UTC 2007 |
Anything you highlight in PuTTY is copied onto the clipboard and right
clicking will paste everything in the clipboard.
|
remmers
|
|
response 41 of 57:
|
Jan 25 17:56 UTC 2007 |
Oh, right. Still not fixed, eh?
Accidental copies followed by accidental pastes into a command line
interface can have unfortunate consequences. Regardless what you think
of Windows, applications for it *should* follow standard user interface
behavior.
|
nharmon
|
|
response 42 of 57:
|
Jan 25 18:40 UTC 2007 |
Fixed implies it is broken, John. I kinda like that behavior. :-)
|
cross
|
|
response 43 of 57:
|
Jan 25 19:21 UTC 2007 |
Yeah, that's one thing about PuTTY that I do NOT like.
|