View unanswered posts | View active topics It is currently Thu May 25, 2017 12:04 am

Forum rules


This is not an area to debate the pros and cons of proposed features. It is an area for people to suggest new features for either TW or TWGS. I will either add the proposed feature to my planned features list, or explain my reasons for passing on the feature at this time. Features added to the list can be voted on so I can gauge people's interest.



Reply to topic  [ 15 posts ] 
 SSH Support 
Author Message
Commander

Joined: Wed Apr 14, 2004 2:00 am
Posts: 1305
Location: USA
Unread post SSH Support
Would it be possible to add SSH support to TWGS so that we don't have to send data in open text over the internet?

_________________
Infecting others with a Polymorphic Virus since 1975.

Curing ignorance and terminal stupidity since 1999.

Questioning the intellectual abilities of three digit annual salary earners since 2015.


Thu Jan 26, 2012 3:11 pm
Profile WWW
Site Admin
User avatar

Joined: Sun Dec 24, 2000 3:00 am
Posts: 3150
Location: USA
Unread post Re: SSH Support
If anyone can provide me with source code for a simple SSH server implementation, I could at least assess the difficulty. So far, I haven't felt that the need justified the effort. Is there an issue with insecure TW connections?

The easiest way to get SSH into TWGS would be through a Delphi component. But these tend to be expensive. I can't really justify dropping $500 to add a feature like this to TWGS.

_________________
John Pritchett
EIS
---
Help fund the TradeWars websites! If you open a hosting account with A2 Hosting, the service EIS uses for all of its sites, EIS will earn credits toward its hosting bill.


Thu Jan 26, 2012 4:27 pm
Profile WWW
Commander
User avatar

Joined: Mon Oct 29, 2001 3:00 am
Posts: 1093
Location: Tucson, AZ
Unread post Re: SSH Support
OpenSSH is free and open source.

But I, too, wonder why anyone would be worried about sending TW data in plaintext. I hope nobody's logging into TWGS with the same user name and password they use for their online banking.

_________________
Suddenly you're Busted!


Thu Jan 26, 2012 6:30 pm
Profile WWW
Commander

Joined: Wed Apr 14, 2004 2:00 am
Posts: 1305
Location: USA
Unread post Re: SSH Support
This comes from having to use Telnet at work. The database doesn't support SSH, and I am tired of sending out AD passwords in plaintext.

The same can apply to TW. I am looking at it from a privacy standpoint.
If you wanted to address it from a security standpoint, then think on what a corp with more scripts than ethics could do if they could sniff passwords on someone's server during a tournament.

_________________
Infecting others with a Polymorphic Virus since 1975.

Curing ignorance and terminal stupidity since 1999.

Questioning the intellectual abilities of three digit annual salary earners since 2015.


Thu Jan 26, 2012 6:40 pm
Profile WWW
Commander

Joined: Sun Feb 25, 2001 3:00 am
Posts: 1703
Location: Guam USA
Unread post Re: SSH Support
Oso wrote:
This comes from having to use Telnet at work. The database doesn't support SSH, and I am tired of sending out AD passwords in plaintext.

The same can apply to TW. I am looking at it from a privacy standpoint.
If you wanted to address it from a security standpoint, then think on what a corp with more scripts than ethics could do if they could sniff passwords on someone's server during a tournament.

This is already possible by changing your IP then searching for blank passwords
, since TWGS allows for blank password even if the SysOp checks 'use password'

I was told this will never be fixed because there are a few 'special ed' players who can't or won't use passwords .. and please do not search them out ...
It will most likely get the used IP banned and you will have to change it again.

That being more trouble then changing the password function or forcing them to 'have' one.

So please don't ask for SSH support .. that would mean that the above
could not , would not happen ... and players would be forced to use
passwords like it or not.

But as for searching for a set password , that is a lot harder and falls under the guidelines and rules of online hacking laws .. but a blank password search does not.

So remember to always use a password not a blank!

_________________
TWGS V2 Vids World on Guam Port 2002
Telnet://202.151.82.243:2002
Team Speak3 Servers for TradeWars @
Zoom's Team Speak Server
ts3server://vs26.tserverhq.com:7214 This is where I'm at.
Micro's Team Speak Server
ts3server://ts.microblaster.net
Archys Portal Teamspeak Server
ts3server://60.242.57.40

Founding Member -=[Team Kraaken]=- Ka Pla
Image

Image
Image


Thu Jan 26, 2012 7:36 pm
Profile ICQ WWW
Commander
User avatar

Joined: Mon Oct 29, 2001 3:00 am
Posts: 1093
Location: Tucson, AZ
Unread post Re: SSH Support
There seem to be a lot of misconceptions floating around about what SSH is and does. I don't want to get into a lot of detail in the feature request forum, but it was discussed at length in another thread: viewtopic.php?f=15&t=24425

The bottom line is, the only "privacy" SSH would afford you is protection against man-in-the-middle snooping... and then only if there were a trusted Certificate Authority for server keys. And you'd have to be awfully paranoid to think that someone at your ISP cares where your planets are.

_________________
Suddenly you're Busted!


Thu Jan 26, 2012 7:53 pm
Profile WWW
Site Admin
User avatar

Joined: Sun Dec 24, 2000 3:00 am
Posts: 3150
Location: USA
Unread post Re: SSH Support
I know it's "free" and "open source", but for some reason, I have a hard time finding anything free that I could look at for a simple example of how to implement this. At least not for Windows. And getting something that's ready to plug directly into the current code would be expensive.

How hard would it be for someone to snoop packets between a player and a server? If the person has local access to the server, there are easier ways to get passwords (TEDIT). But is there a way for someone to target any given server to snoop packets between the player and game?

Even if there is, I'd probably need to know that it's happening to justify it. If it was as easy to implement as Telnet and RLogin, I'd probably just do it for the coolness of it. But it doesn't seem to be that easy to do.

_________________
John Pritchett
EIS
---
Help fund the TradeWars websites! If you open a hosting account with A2 Hosting, the service EIS uses for all of its sites, EIS will earn credits toward its hosting bill.


Thu Jan 26, 2012 8:48 pm
Profile WWW
Commander
User avatar

Joined: Mon Oct 29, 2001 3:00 am
Posts: 1093
Location: Tucson, AZ
Unread post Re: SSH Support
To snoop packets, someone would have to have root/admin access to one of the machines routing them across the Internet. That seems unlikely in itself. But say someone hacked the wifi at the local coffee shop. It's astronomically unlikely that they know or care what TW is, much less happen to be your opponent. SSH wouldn't even keep an employer from finding out what their employee is doing on telnet all day. They could just connect to the same address and see that it's TWGS...

If someone wanted to eavesdrop on another player's session, they would most likely attack TWGS itself or some other service running on the same machine. Or they could post some spyware and get players to download it.

Eleq's original reason for tunneling TW through SSH (last comment in the thread I linked) is the only reason I've ever heard that makes the least bit of sense.

_________________
Suddenly you're Busted!


Thu Jan 26, 2012 11:33 pm
Profile WWW
Site Admin
User avatar

Joined: Sun Dec 24, 2000 3:00 am
Posts: 3150
Location: USA
Unread post Re: SSH Support
Yeah, I discussed this quite a bit with Eleq years ago and decided it wasn't a worthwhile effort. Of course I could still be convinced...

_________________
John Pritchett
EIS
---
Help fund the TradeWars websites! If you open a hosting account with A2 Hosting, the service EIS uses for all of its sites, EIS will earn credits toward its hosting bill.


Thu Jan 26, 2012 11:38 pm
Profile WWW
Lance Corporal
User avatar

Joined: Mon Jul 16, 2012 2:03 am
Posts: 3
Unread post Re: SSH Support
A CA is not required for SSH to prevent MitM. Publishing the SSH server's fingerprint is all that is needed and a one-time verification, which could be hosted on an https-enabled server to prevent tampering. The SSH Fingerprint (SSHFP) can be also published in DNS and with a DNSSEC signed zone it can be verified all the way up to the DNS Root servers. I do this for all my SSH servers:
$ dig +short sshfp Ox.roysdon.org
1 1 3DB9B33E322A607A7013EBD2ED45B13E87B647E5

OpenSSH automatically requests this record and verifies it matches what the ssh server is sending before it will send my password/private key information.

A work-around would be to add an SSH server that players connect to first and from there they would telnet to the TWGS. Helper-apps would need to add SSH support either way, or use SSH port-forwarding.

If/when I host my own TWGS, I'll probably do this and offer it as a connection method. Of course, I'd probably self-host all the fancy proxy apps as well so no players would have an advantage over any others.


Sun Jul 29, 2012 8:39 pm
Profile
Gameop
User avatar

Joined: Tue Nov 19, 2002 3:00 am
Posts: 1044
Location: USA
Unread post Re: SSH Support
JasonJR wrote:
A CA is not required for SSH to prevent MitM. Publishing the SSH server's fingerprint is all that is needed and a one-time verification, which could be hosted on an https-enabled server to prevent tampering. The SSH Fingerprint (SSHFP) can be also published in DNS and with a DNSSEC signed zone it can be verified all the way up to the DNS Root servers. I do this for all my SSH servers:
$ dig +short sshfp Ox.roysdon.org
1 1 3DB9B33E322A607A7013EBD2ED45B13E87B647E5

OpenSSH automatically requests this record and verifies it matches what the ssh server is sending before it will send my password/private key information.

A work-around would be to add an SSH server that players connect to first and from there they would telnet to the TWGS. Helper-apps would need to add SSH support either way, or use SSH port-forwarding.

If/when I host my own TWGS, I'll probably do this and offer it as a connection method. Of course, I'd probably self-host all the fancy proxy apps as well so no players would have an advantage over any others.


I love your Avatar man, though I don't personally see the point of SSH regardless of it's weaknesses.

@JP: Personally I'm not interested in SSH from a player POV which is what this forum requires me to say. If someone at a coffee shop want's my password and has the means TW is the least of my concerns.

@Mongoose: Failure to implement a security protocol because someone "could" do something is a weak argument. I think OSO is just looking to protect the plain text from traversing his network, if he as a admin has people capable of binding to the port to watch the traffic and willing to do so he has other issues beyond the scope of a basic SSH connection.

@JasonJr: I love your Avatar :-)

_________________
Dark Dominion TWGS
Telnet://twgs.darkworlds.org:23
ICQ#31380757, -=English 101 pwns me=-
"This one claims to have been playing since 1993 and didn't know upgrading a port would raise his alignment."


Tue Jul 31, 2012 4:59 pm
Profile ICQ
Commander
User avatar

Joined: Mon Oct 29, 2001 3:00 am
Posts: 1093
Location: Tucson, AZ
Unread post Re: SSH Support
Kaus wrote:
@Mongoose: Failure to implement a security protocol because someone "could" do something is a weak argument.


My point is that the kind of attack SSH would protect you from is astonomically improbable. The only thing SSH will protect you from is being snooped by someone who has admin access to some computer along the route between your computer and the TWGS. For this to happen, someone would have to a) know where you're connecting from; b) know where you're connecting to; and c) own (either literally or in the cracking sense) some machine along the route.

If someone was intent on snooping your TW activity, they'd most likely attack one of the endpoints: your computer or the one hosting the TWGS. And once one of the endpoints is owned, SSH does absolutely nothing for you.

_________________
Suddenly you're Busted!


Tue Jul 31, 2012 5:24 pm
Profile WWW
Gameop
User avatar

Joined: Tue Nov 19, 2002 3:00 am
Posts: 1044
Location: USA
Unread post Re: SSH Support
Except in the case of OSO prevent his plain text password and user name from being snooped by a sniffer, given that telnet by default offers no encryption. I agree with you it's pointless, given the breadth of other attacks Server/Client available. I can understand however why someone would think their should be a "market" for it.

_________________
Dark Dominion TWGS
Telnet://twgs.darkworlds.org:23
ICQ#31380757, -=English 101 pwns me=-
"This one claims to have been playing since 1993 and didn't know upgrading a port would raise his alignment."


Tue Jul 31, 2012 7:30 pm
Profile ICQ
Commander
User avatar

Joined: Mon Oct 29, 2001 3:00 am
Posts: 1093
Location: Tucson, AZ
Unread post Re: SSH Support
Yeah, but snooped by whom? You can't just snoop any traffic on the Internet. You have to control one of the machines along the route between the source and the destination. What are the chances that one of your TradeWars opponents works for your ISP and is sniffing Telnet looking specifically for TradeWars activity? This is pure paranoia.

_________________
Suddenly you're Busted!


Tue Jul 31, 2012 10:57 pm
Profile WWW
Civilian

Joined: Wed Aug 01, 2012 10:34 am
Posts: 0
Unread post Re: SSH Support
[quote="Mongoose"]This is pure paranoia.[/quote]

A good system administrator's job includes being more paranoid than the next guy.

[quote="Oso"]Would it be possible to add SSH support to TWGS so that we don't have to send data in open text over the internet?[/quote]

The Cygwin project (http://www.cygwin.com/) includes both the OpenSSH client / server as well as an "inetutils" package that includes rlogin. One could setup an OpenSSH server with accounts set to automatically rlogin to the tw2002 server (presumably running on localhost) using the authenticated username via the 'ForceCommand' directive in sshd_config. The downside to this approach is that now your users will need to have system accounts on the server that's hosting your tw2002 instance.

If you go this route, I would recommend running tw2002 on an isolated virtual machine. Then again, I would recommend running tw2002 on an isolated virtual machine even if you didn't go the OpenSSH route.


Wed Aug 01, 2012 10:47 am
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 15 posts ] 

Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by STSoftware.