[Dxspider-support] Secure node to node connection proposal

Stephen Carroll aa4u.steve at gmail.com
Sun Feb 26 11:11:33 GMT 2023 

I applaud the effort put forth with this detailed proposal. However, it's
implementation would rival the military encryption protocols I've dealt
with for the past 40 years. We're not trying to pass nuclear launch codes
on a highly secure network!

Yes, these proposed steps will greatly change the entire cluster system. It
will basically mean a majority of worldwide nodes will go QRT. That should
NOT be the goal of anyone, since without nodes, users and DX spots we have
no network.

REGISTRATION

I do think, at a minimum, ALL nodes should require registration... and it
should be the default (or hard-coded) in the software. However, I suggest
the registration process be completed entirely without any SysOp action.
When a new user logs into the cluster, it asks for Name, QTH, QRA and
Homenode. I would add Email to that list and change to HomeQTH and HomeQRA
as well. Once a user successfully enters this basic information they are
registered on that node. This puts the registration process in the user's
hands! In fact, maybe the system could lookup via QRZ.com to ensure its a
valid callsign, QTH and QRA. Current node users should be required to enter
the same information to complete the registration process as well (This
requires users to actually view the telnet login window on startup though,
which many don't even use anymore). We could then use the MOTD and MOTD_N
files to instruct and guide the user accordingly.

PASSWORDS

If enabled in /spider/scripts/startup, the node would automatically
generate a temporary password for the user upon login. Then the user would
be required to create their own personal password:

set/password <abc123>

Again, no SysOp input required! In fact, the initial temporary password
could be the same for ALL users to make it easier.

Just a few random thoughts...

73, Steve - AA4U



On Sun, Feb 26, 2023, 3:36 AM Mikel EA2CW via Dxspider-support <
dxspider-support at tobit.co.uk> wrote:

> After a lot of hours with some sysops already here, I have wrote down a
> first proposal of the first -small- step we could take, rising a bit the
> node 2 node connections. Again, this is only a basic document to start,
> not an absolute and unique true.
> I expect to have an good open discussion among all us to define and
> agree the path to a better dx-cluster net.
>
> NODE<>NODE SECURE CONNECTION CRITERIA:
>
> 1. Unregistered users can connect and view spots, they cannot upload any
> info into the network.
>
> 2. Registered users can login, view and also upload spots, anns, etc.
>
> 3. All registered users must have a password. Registered users without
> password would not be acceptable.
>
> 4. All nodes to which the node is connected must meet the same
> requirements.
>
> 5. The connection between nodes must be between registered nodes and
> with password, that is:
>      - set/spider [node]
>      - set/reg <node>
>      - set/password <node>
>      - set/password <node> <password>.
>      (The /spider/connect/<server> files must be modified so that the
> password is used).
>
> 6. If possible, the connection between nodes should be made via ssh or
> other secure mechanism. (Already testing a ssh tunneling protocol with
> success)
>
> 7. The connection to the RBN servers is optional from each server, but
> the received RBN spots will not be forwarded to other nodes.
>
> After -I hope- achieving an agreement, I would want to start a net where
> all the clusters connected meet the agreed conditions.
> I ask you the sysops whom already meet them or with this aim, to contact
> me and other partners in the same position for a -probably- slow but
> firm evolution.
>
>
> POSSIBLE NEXT STEPS IN THE FUTURE
>
> * A protocol should be designed within the dx-cluster standard to share
> hashed passwords between nodes, avoiding the need to register multiple
> times the same user in different nodes and reducing the maintenance
> tasks of each sysop. This information, i.e. (user:hash:origin_cluster)
> could be later be broadcasted around the net and/or being also
> distributed via config files as we already do, i.e. with bad IPs, and
> stored on each node.
>
> * The connections of identified nodes / users to any node should be made
> always using secured connections. No more telnet usr/pwd open
> transmissions should be allowed.
>
> * The secure connection system should be implemented as a part of the
> server programs (as telnet is now) avoiding the added complexity of
> creating tunnels between each pair of servers. This system could be used
> for secure connection between nodes as well as for connection and
> identification of users, who could continue to access in an insecure way
> -without the ability to upload information to the network. It would keep
> the connection system of the current client softwares unchanged.
>
>
>
> Hope we can discuss all this among us, securing the future of an open,
> safe and not hierarchically structured. This philosophy is IMHO the one
> that has kept alive the dxcluster network during so many years/decades.
>
> Thank you and 73 de Mikel EA2CW
>
>
>
>
> --
> ea2cw at gautxori.com
> Bilbao, Bizkaia. IN83MG
> http://radio.gautxori.com
> http://qrz.com/db/ea2cw
> https://t.me/EA2CW
>
>
> _______________________________________________
> Dxspider-support mailing list
> Dxspider-support at tobit.co.uk
> https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20230226/46caac7c/attachment.htm>

More information about the Dxspider-support mailing list