axspawn and security on the air

axspawn and security on the air

[J. Lance Cotton]

Hi,

I am working on setting up an digi-ned based APRS digipeater and I want to 
have ax25d listen for a very restricted set of connections for remote 
administering of the digipeater.

I plan on restricting connections to local-only (no digi-hops) connections 
from authorized admin callsigns. Based on what I read in the AX.25 HOWTO, I 
should use an axspawn command to open up a shell once the connection is made.

The background to my question is this: If I leave the password for an admin 
user blank, some rogue user could easily change their TNC to use an admin 
callsign and wreak havoc. If I require a password for user login, the password 
is transmitted plaintext, right? Same situation as before.

This machine will hopefully, eventually be connected to the Internet, where 
ssh connections are more bandwidth-appropriate, but I want to have the ability 
to remote administer this computer over the air with minimal possibility for 
abuse.

Is insecurity of this type just a given with regard to wireless amateur 
connections?

-Lance
-- 
J. Lance Cotton, KJ5O
http://map.findu.com/kj5o-14
joe@lightningflash.net

Re: axspawn and security on the air

[Tim Neu]

On Wed, May 28, 2003 at 09:38:18AM -0500, J. Lance Cotton wrote:
> Hi,
> 
> I am working on setting up an digi-ned based APRS digipeater and I want to 
> have ax25d listen for a very restricted set of connections for remote 
> administering of the digipeater.
> 
> I plan on restricting connections to local-only (no digi-hops) connections 
> from authorized admin callsigns. Based on what I read in the AX.25 HOWTO, I 
> should use an axspawn command to open up a shell once the connection is 
> made.
> 
> The background to my question is this: If I leave the password for an admin 
> user blank, some rogue user could easily change their TNC to use an admin 
> callsign and wreak havoc. If I require a password for user login, the 
> password is transmitted plaintext, right? Same situation as before.
> 
> This machine will hopefully, eventually be connected to the Internet, where 
> ssh connections are more bandwidth-appropriate, but I want to have the 
> ability to remote administer this computer over the air with minimal 
> possibility for abuse.
> 
> Is insecurity of this type just a given with regard to wireless amateur 
> connections?

How serious are you?  

You could get something like a SecurID token card, but they would be an expensive solution.   
(these cards have a number that changes every few seconds, used to authenticate).

A number of other programs use a math challenge. 

There may be other ways of using one-time passwords. 


Some people have also told me that the verbage of the FCC rules does not forbid using encryption for passwords.

Sec. 97.113 Prohibited transmissions. (a)4 forbids "messages in codes or ciphers intended to obscure the meaning
thereof".  

The theories are: 
a. A password is not a "message". 
b. Even if it was, it does not have a meaning which could be obscured.   (I wouldn't buy this one, seeing as there is
obviously a literal meaning being obscured).

I would say "a" is more sound than "b", but I do not bet my ham license on either.   It would be interesting to get
feedback from the FCC on this, though.   If they came right out and clarified the situation, I might start using
encrypted passwords. 

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
______         _ __                          Military Intelligence
  /           ' )  )        -KC0LQL-         Honest Politician
 / o ______    /  / _  . .                   Intellectual Property  
/ <_/ / / <   /  (_</_(_/_  -- tneu@visi.com / http://www.visi.com/~tneu --

Re: axspawn and security on the air

[J. Lance Cotton]

I am not serious enough to worry about the SecurID solution. I guess it's not 
a big deal, since I don't plan on remote adminstering too often.

I would bet my ham license on being able to use encryption for authentication. 
I think the FCC looks more at the spirit of the rules than the exact (and 
ambiguous at times) letter of the rules. So long as you can show that whatever 
you are encrypting (password) carries no information if asked. The problem 
would just be possible abuse (I swear that 16k encrypted chunk of data is my 
password, not an order for 2000 widgets for my company!).

I just recalled using the s/key one-time-password system at school once, so I 
will look into that. It seems to be a good solution: secure and low-bandwidth.

Best regards,
Lance Cotton

Tim Neu wrote:

> On Wed, May 28, 2003 at 09:38:18AM -0500, J. Lance Cotton wrote:
> 
>>Hi,
>>
>>I am working on setting up an digi-ned based APRS digipeater and I want to 
>>have ax25d listen for a very restricted set of connections for remote 
>>administering of the digipeater.
>>
>>I plan on restricting connections to local-only (no digi-hops) connections 
>>from authorized admin callsigns. Based on what I read in the AX.25 HOWTO, I 
>>should use an axspawn command to open up a shell once the connection is 
>>made.
>>
>>The background to my question is this: If I leave the password for an admin 
>>user blank, some rogue user could easily change their TNC to use an admin 
>>callsign and wreak havoc. If I require a password for user login, the 
>>password is transmitted plaintext, right? Same situation as before.
>>
>>This machine will hopefully, eventually be connected to the Internet, where 
>>ssh connections are more bandwidth-appropriate, but I want to have the 
>>ability to remote administer this computer over the air with minimal 
>>possibility for abuse.
>>
>>Is insecurity of this type just a given with regard to wireless amateur 
>>connections?
> 
> 
> How serious are you?  
> 
> You could get something like a SecurID token card, but they would be an expensive solution.   
> (these cards have a number that changes every few seconds, used to authenticate).
> 
> A number of other programs use a math challenge. 
> 
> There may be other ways of using one-time passwords. 
> 
> 
> Some people have also told me that the verbage of the FCC rules does not forbid using encryption for passwords.
> 
> Sec. 97.113 Prohibited transmissions. (a)4 forbids "messages in codes or ciphers intended to obscure the meaning
> thereof".  
> 
> The theories are: 
> a. A password is not a "message". 
> b. Even if it was, it does not have a meaning which could be obscured.   (I wouldn't buy this one, seeing as there is
> obviously a literal meaning being obscured).
> 
> I would say "a" is more sound than "b", but I do not bet my ham license on either.   It would be interesting to get
> feedback from the FCC on this, though.   If they came right out and clarified the situation, I might start using
> encrypted passwords. 
> 

-- 
J. Lance Cotton, KJ5O
http://map.findu.com/kj5o-14
joe@lightningflash.net

Re: axspawn and security on the air

[Tim Neu]

On Wed, May 28, 2003 at 10:09:43AM -0500, J. Lance Cotton wrote:
> I am not serious enough to worry about the SecurID solution. I guess it's 
> not a big deal, since I don't plan on remote adminstering too often.
> 
> I would bet my ham license on being able to use encryption for 
> authentication. I think the FCC looks more at the spirit of the rules than 
> the exact (and ambiguous at times) letter of the rules. So long as you can 
> show that whatever you are encrypting (password) carries no information if 
> asked. The problem would just be possible abuse (I swear that 16k encrypted 
> chunk of data is my password, not an order for 2000 widgets for my 
> company!).
> 
> I just recalled using the s/key one-time-password system at school once, so 
> I will look into that. It seems to be a good solution: secure and 
> low-bandwidth.

The only problem is that with a one-time authentication event, it could be fairly easy to hijack a control session in
mid-stream.   (however remote the possibility may be)

One neat solution might be digitally signing each command that requires authentication - but that is out of my
league! 

Good luck!  73s.   

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
______         _ __                          Military Intelligence
  /           ' )  )        -KC0LQL-         Honest Politician
 / o ______    /  / _  . .                   Intellectual Property  
/ <_/ / / <   /  (_</_(_/_  -- tneu@visi.com / http://www.visi.com/~tneu --

Re: axspawn and security on the air

[J. Lance Cotton]

Tim Neu wrote:

> On Wed, May 28, 2003 at 10:09:43AM -0500, J. Lance Cotton wrote:
> 
>>I just recalled using the s/key one-time-password system at school once, so 
>>I will look into that. It seems to be a good solution: secure and 
>>low-bandwidth.
> 
> 
> The only problem is that with a one-time authentication event, it could be fairly easy to hijack a control session in
> mid-stream.   (however remote the possibility may be)
> 
> One neat solution might be digitally signing each command that requires authentication - but that is out of my
> league! 

Way out of my league too. Plus I think the bandwidth requirements for a 
signature along with the command is sort of poor amateur practice on the 
144.39 APRS frequency, unless I set up a second control radio/TNC on 440. Hmm.

> Good luck!  73s.   

Thanks for the advice and help!

-Lance
-- 
J. Lance Cotton, KJ5O
http://map.findu.com/kj5o-14
joe@lightningflash.net

Re: axspawn and security on the air

[M Taylor]

On Wed, May 28, 2003 at 10:01:12AM -0500, Tim Neu wrote:
> On Wed, May 28, 2003 at 09:38:18AM -0500, J. Lance Cotton wrote:

> > The background to my question is this: If I leave the password for an admin 
> > user blank, some rogue user could easily change their TNC to use an admin 
> > callsign and wreak havoc. If I require a password for user login, the 
> > password is transmitted plaintext, right? Same situation as before.
> > 
> > This machine will hopefully, eventually be connected to the Internet, where 
> > ssh connections are more bandwidth-appropriate, but I want to have the 
> 
> A number of other programs use a math challenge. 
> 
> There may be other ways of using one-time passwords. 

Public Key cryptography (PKC) that uses DSA (digital signature
algorithm) rather than RSA for authenication, with no (bulk) transport
encryption may be within the spirit of not obscuring the message,
as DSA is designed to be usable for digital signatures, not for
(message) encryption there is little chance that such packets
are possibly anything else.

So ssh with DSA public keys, and no (NULL) transport encryption may
fall within allowable by the rules of FCC (and perhaps other countries).
You may need to recompile openssh/openssl to enable NULL encryption.

I have not had time to take this to RAC and Industry Canada for guidence
for use in Canada.

The safest method that should is legal is to use a one-time password
method, there are some debain packages available (maybe named S/Key).
You send the password in the clear, but after it is used, it is not
longer valid. The next time you would login using the next password
from either a calculator or from a pre-generated list.

-ve1mct

Re: axspawn and security on the air

[Thomas Osterried]

> callsign and wreak havoc. If I require a password for user login, the 
> password is transmitted plaintext, right? Same situation as before.

with our digi / mailbox db0tud, we do it this way:

users have empty passwords.

if we need to authenticate for administration (root access), we use
the package "root"
(see http://x-berg.in-berlin.de/cgi-bin/viewcvs.cgi/ampr/root/ for details).

"md5root" uses a md5-based hashing algorithm like it is used by the bbs'es
(dpbox, etc..). root is suid bit. if the challenge response is ok,
a uid-0 shell is spawned. no plaintext password is transmitted.

but be aware that ax25 sessions as well as tcp sessions could be overtaken
by another user. on the other hand, it's ham community, not inet..

73,
	- thomas

Re: axspawn and security on the air

[Ken Koster]

In a previous message, KJ5O says

>I am working on setting up an digi-ned based APRS digipeater and I want to 
>have ax25d listen for a very restricted set of connections for remote 
>administering of the digipeater.
>
>I plan on restricting connections to local-only (no digi-hops) connections 
>from authorized admin callsigns. Based on what I read in the AX.25 HOWTO, I 
>should use an axspawn command to open up a shell once the connection is made.

>The background to my question is this: If I leave the password for an admin 
>user blank, some rogue user could easily change their TNC to use an admin 
>callsign and wreak havoc. If I require a password for user login, the password 
>is transmitted plaintext, right? Same situation as before.

Why bother with axspawn at all?  Since you're making direct connections 
just use SSH, it's not unusable at 1200b, maybe a bit slow but I do it all
the time.

>
>This machine will hopefully, eventually be connected to the Internet, where 
>ssh connections are more bandwidth-appropriate, but I want to have the ability 
>to remote administer this computer over the air with minimal possibility for 
>abuse.

I remote administer five of our local machines with SSH, some at 1200b, some
at 9600b and several hops away.  VI is even usable at 9600, tolerable 
at 1200 :-)


Ken,  N7IPB

Re: axspawn and security on the air

[Steve Fraser]

Hi All,

 KJ5O said
>
> >I am working on setting up an digi-ned based APRS digipeater and I want
to
> >have ax25d listen for a very restricted set of connections for remote
> >administering of the digipeater.
> >
and Ken Koster responded:

>> Why bother with axspawn at all?  Since you're making direct connections
> just use SSH, it's not unusable at 1200b, maybe a bit slow but I do it all
> the time.
>
I use deslogin for the very same reason. It's probably not quite as secure
as SSH, but it doesnt seem have the same overhead when typing single
characters from the keyboard.

Of course, the regulatory validity of this may be questioned :-) but I think
its a very valid requirement for remote administration - especially when
adding new users and THEIR passwords!

73

Steve, vk5asf

Again TNOS

[Marco iw7eas]

Hi....
Thanks to Paul ae6jn, now I'm running a stable version of TNOS v2.40..
Now I've some problems connecting the tnos on radio ports.
TNOS answers *** connected to IW7CHV-7 and nothing else...
I'm sure that I did mistake in autoexec.nos, confusing ax25 mycall, ax25
user, linkaddress,
ip call, ecc..
So...Do someone have an example of working autoexec.nos ?
In this way I'll learn more more and much more...

Thank you
Marco
iw7eas