[Dxspider-support] Secure node to node connection proposal

Stephen Carroll aa4u.steve at gmail.com
Sun Feb 26 19:27:12 GMT 2023 

Dirk,

Just to be clear, I was not suggesting email addresses or definitely NOT
passwords be populated throughout the network. The email requirement for
local registration is strictly for SysOp use to contact the user. My ideas
on local registration (by default) and password usage (as a user option)
would require LESS input from the SysOp and land solely with the user. If
registration becomes mandatory (which I support), under the current
configuration that would require too much keyboard input and cups of tea by
the SysOp. I'm hoping my earlier suggestions would do away with that burden.

Signing off now...

73, Steve - AA4U


On Sun, Feb 26, 2023, 10:54 AM Dirk Koopman via Dxspider-support <
dxspider-support at tobit.co.uk> wrote:

> I must agree with Steve that mandating SSL/HTTPS for internode or user
> connections is a step too far and is a solution for a problem that does
> not really exist. And, even if it starts to exist in the future, there
> is enough hardening in the code already to deal with it (yes, yes I know
> - hostages, fortunes etc). But, in a separate email, I have made a
> suggestion as to how it *could* be done - if someone cares to do the
> work and contribute that to the "product".
>
> But I would have to add that, even if SSL connections were implemented,
> I disagree profoundly that explicitly sharing registrations and
> passwords through the network (whether encrypted or not) is a good idea.
>
> If users want to use the same password on two or three nodes, I want
> them to do that themselves. Making users register in the way outlined
> below provides just enough friction to prevent random "node tourism".
> What controls are going to be effective if some bad actor (finally)
> registers on one node, has his (pronoun deliberately chosen) credentials
> carefully (and securely) transferred to every other node - which then
> allows him to wonder around all the nodes at will, spreading ordure as
> he goes?
>
> So I am for all users to register on each node that they use AND
> (probably worse from the ungodly user's point of view) have the node
> check that they use the same details as that node may already have
> acquired (some of which will not be displayable to unprivileged users)
> through PC41 or, now increasingly likely PC91 'all in one' sentence.
>
> To answer Steve's suggestions below, I think could implement this and it
> is a good way to go. It is on the TODO list.
>
> Thank you Steve.
>
> 73 Dirk G1TLH
>
> On 26/02/2023 11:11, Stephen Carroll via Dxspider-support wrote:
> > I applaud the effort put forth with this detailed proposal. However,
> > it's implementation would rival the military encryption protocols I've
> > dealt with for the past 40 years. We're not trying to pass nuclear
> > launch codes on a highly secure network!
> >
> > Yes, these proposed steps will greatly change the entire cluster
> > system. It will basically mean a majority of worldwide nodes will go
> > QRT. That should NOT be the goal of anyone, since without nodes, users
> > and DX spots we have no network.
> >
> > REGISTRATION
> >
> > I do think, at a minimum, ALL nodes should require registration... and
> > it should be the default (or hard-coded) in the software. However, I
> > suggest the registration process be completed entirely without any
> > SysOp action. When a new user logs into the cluster, it asks for Name,
> > QTH, QRA and Homenode. I would add Email to that list and change to
> > HomeQTH and HomeQRA as well. Once a user successfully enters this
> > basic information they are registered on that node. This puts the
> > registration process in the user's hands! In fact, maybe the system
> > could lookup via QRZ.com to ensure its a valid callsign, QTH and QRA.
> > Current node users should be required to enter the same information to
> > complete the registration process as well (This requires users to
> > actually view the telnet login window on startup though, which many
> > don't even use anymore). We could then use the MOTD and MOTD_N files
> > to instruct and guide the user accordingly.
> >
> > PASSWORDS
> >
> > If enabled in /spider/scripts/startup, the node would automatically
> > generate a temporary password for the user upon login. Then the user
> > would be required to create their own personal password:
> >
> > set/password <abc123>
> >
> > Again, no SysOp input required! In fact, the initial temporary
> > password could be the same for ALL users to make it easier.
> >
> > Just a few random thoughts...
> >
> > 73, Steve - AA4U
> >
> >
>
>
> _______________________________________________
> Dxspider-support mailing list
> Dxspider-support at tobit.co.uk
> https://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20230226/6e43ba4c/attachment.htm>

More information about the Dxspider-support mailing list