[Dxspider-support] Connection by SSH

Tue May 2 11:13:26 BST 2000

On 02-May-2000 Ichiro Hieda JE1SGH wrote:
> Hi Dirk and all,
> 
>>From 1 May, the local network where our DX Spider located tightens the
> security, and normal telnet can be no longer used for the link.
> 
> Fortunately, SSH can be used for noncommercial use and it can get through
> the tight firewall.
> 
> How should I write the connect script? Previously, it was;
> ---
> connect telnet ocean.kz.tsukuba.ac.jp 1999
> 'login' jn1zga
> 'password' 'something'
> 'ocean' '/spider/perl/client.pl jn1zga-8 telnet'
> ---
> As normal telnet port was already unavailable at that time, we used port
> 1999 instead.
> 
> Now I tried,
> ---
> connect /usr/bin/ssh -l jn1zga ocean.kz.tsukuba.ac.jp
> 'password' 'something'
> 'ocean' '/spider/perl/client.pl jn1zga-8 telnet'
> ---
> I tried some variations modifying the 1st line, but I never succeeded to
> make cluster link again. Of course, I confirmed connection can be
> established manually by /usr/bin/ssh.
> 
> It seems that DX spider can't connect via external binary executable (such
> as ssh). Is this right? Or, does CPAN has ssh compliant modules already?
> (As far as I searched on search.cpan.org, nothing found)

All ax25 connections are done externally so it isn't that (using
netrom_call, ax25_call etc). 

Could it be that ssh asks for the password on stderr rather than stdout? I
have a strong feeling that that is what happens based on other uses that I
have had for ssh (but I don't actually _know_).

The alternative is for you to exchange keys in 'ssh_known_hosts' which will
also do away with the need for you to have a password in your connect script.

Also, I am a bit confused as to why they are insisting that you use ssh for
the transport. There is nothing in the protocol which gives anything vital
away. There is nothing secret there except the password - which can be
eliminated.

My personal view would be to ask the people you are connecting to, to put an
entry in /etc/inetd.conf that looks like this:-

jg1ygh stream tcp nowait spider /usr/sbin/tcpd /spider/src/client JG1YGH
telnet

(all on one line - it is split by the mailer)

in /etc/services:-

jg1ygh 1999/tcp

and /etc/hosts.allow:-

/spider/src/client: 202.213.175.3

and

killall -HUP inetd

If this isn't secure enough then I would be quite interested in the reasons
why. As this will mean that your node will connect direct to port 1999 and it
will start straight away in protocol, there is no intermediate step thru a
shell and no password sent in clear. Also the line in /etc/hosts.allow means
that it will only allow  nibh.go.jp to connect on that port.

> 
> Any help are greatly appreciated.
> 
> Best regards,
> Ichiro JE1SGH
> Note: The sender appeared in the From: header is not normal address. Please
> write to "hieda at nibh.go.jp" if you need personal contact.
> ----
> P.S. Sorry Dirk for confusing you by my previous posting. I am using some
> trick for MLs plus I had typo. This mail has valid address for the ML I
> believe.

Sorry, no it hasn't, the From: line doesn't contain the email address in the
correct format. Just put the actual email address at the end in < and > and
it should work.

-- 
Dirk-Jan Koopman, Tobit Computer Co Ltd 
At the source of every error which is blamed on the computer you will find
at least two human errors, including the error of blaming it on the computer.