[Dxspider-support] Secure node to node connection proposal

Howard Leadmon howard at leadmon.net
Sun Feb 26 10:01:02 GMT 2023 

  A couple quick comments fwiw..

  I think to do this, you would need to setup and second network, and 
maybe interconnect it with the current network, as like Iain said, this 
is just way over the top for many.  I would probably participate with a 
second node, if possible, but to force on the current nodes will kill 
the current network and it's users to a large extent.

  That said, you really need Dirk to weigh in on this, I believe his 
telnet is not a standard implementation, but I just remember some past 
comments, and this would require a redesign.   Tunneling SSH to mandate 
everyone using it, first would be a terrible way to do it, it should be 
part of the programs.  Second, now all hams, and all software coders 
that write code to support hams now have to redo their code to support 
native SSH connections.  I love SSH personally, but to force it on all 
the various programmers and thinking it's just going to fly will never work.

  As I mentioned the other day, I know the N3FJP contest software uses 
the cluster, many on my node, and it does not support passwords, so 
again someone that has to make coding changes.  Just FYI, there is also 
encrypted Telnet, granted I rarely see it used.

  So in closing, as also came up last week, a lot of updating has been 
done, we now have lists of bad calls and IP's being used on the nodes, 
it's really time to see if that cleans up stuff enough it's not such a 
problem anymore.

Cheers, and 73's...

---
Howard Leadmon - WB3FFV
PBW Communications, LLC
http://www.pbwcomm.com

On 2/26/2023 4:43 AM, Iain Philipps via Dxspider-support wrote:
> This will be a GREAT way to shrink the cluster network.
>
> There are a  SIGNIFICANT number of SysOps who don't have the time to manage hundreds of users and passwords.
>
> This is *AMATEUR RADIO* not online banking. I understand we need to do something about the "spam", but alienating / disenfranchising SysOps is a *VERY* bad plan.
>
>
> 73 de WR3D
>
> -----Original Message-----
> From: Dxspider-support <dxspider-support-bounces at tobit.co.uk> On Behalf Of Mikel EA2CW via Dxspider-support
> Sent: 26 February 2023 09:36
> To: Keith Maton via Dxspider-support <dxspider-support at tobit.co.uk>
> Cc: Mikel EA2CW <ea2cw at gautxori.com>
> Subject: [Dxspider-support] Secure node to node connection proposal
>
> After a lot of hours with some sysops already here, I have wrote down a first proposal of the first -small- step we could take, rising a bit the node 2 node connections. Again, this is only a basic document to start, not an absolute and unique true.
> I expect to have an good open discussion among all us to define and agree the path to a better dx-cluster net.
>
> NODE<>NODE SECURE CONNECTION CRITERIA:
>
> 1. Unregistered users can connect and view spots, they cannot upload any info into the network.
>
> 2. Registered users can login, view and also upload spots, anns, etc.
>
> 3. All registered users must have a password. Registered users without password would not be acceptable.
>
> 4. All nodes to which the node is connected must meet the same requirements.
>
> 5. The connection between nodes must be between registered nodes and with password, that is:
>       - set/spider [node]
>       - set/reg <node>
>       - set/password <node>
>       - set/password <node> <password>.
>       (The /spider/connect/<server> files must be modified so that the password is used).
>
> 6. If possible, the connection between nodes should be made via ssh or other secure mechanism. (Already testing a ssh tunneling protocol with
> success)
>
> 7. The connection to the RBN servers is optional from each server, but the received RBN spots will not be forwarded to other nodes.
>
> After -I hope- achieving an agreement, I would want to start a net where all the clusters connected meet the agreed conditions.
> I ask you the sysops whom already meet them or with this aim, to contact me and other partners in the same position for a -probably- slow but firm evolution.
>
>
> POSSIBLE NEXT STEPS IN THE FUTURE
>
> * A protocol should be designed within the dx-cluster standard to share hashed passwords between nodes, avoiding the need to register multiple times the same user in different nodes and reducing the maintenance tasks of each sysop. This information, i.e. (user:hash:origin_cluster) could be later be broadcasted around the net and/or being also distributed via config files as we already do, i.e. with bad IPs, and stored on each node.
>
> * The connections of identified nodes / users to any node should be made always using secured connections. No more telnet usr/pwd open transmissions should be allowed.
>
> * The secure connection system should be implemented as a part of the server programs (as telnet is now) avoiding the added complexity of creating tunnels between each pair of servers. This system could be used for secure connection between nodes as well as for connection and identification of users, who could continue to access in an insecure way -without the ability to upload information to the network. It would keep the connection system of the current client softwares unchanged.
>
>
>
> Hope we can discuss all this among us, securing the future of an open, safe and not hierarchically structured. This philosophy is IMHO the one that has kept alive the dxcluster network during so many years/decades.
>
> Thank you and 73 de Mikel EA2CW
>
>
>
>
> --
> ea2cw at gautxori.com
> Bilbao, Bizkaia. IN83MG
> http://radio.gautxori.com
> http://qrz.com/db/ea2cw
> https://t.me/EA2CW
>
>
> _______________________________________________
> Dxspider-support mailing list
> Dxspider-support at tobit.co.uk
> https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>
>
> _______________________________________________
> Dxspider-support mailing list
> Dxspider-support at tobit.co.uk
> https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support

More information about the Dxspider-support mailing list