Re: Moving telnet/telnetd from base to pkgsrc
On Tue 18 Dec 2018 at 09:02:45 -0500, Thor Lancelot Simon wrote: > Apple removed it from OS X and it's a big pain in the ass. I'd suggest > fix it (going at it with a big torch if necessary to remove likely dead > and likely dangerous code -- many/most of the options, even things like > linemode) and keep it. Isn't linemode used by default when not connecting to a port with telnet negotiation? That's how you can edit your line when you mistype GET / HTTP/1.0. Or maybe that is the "old line by line" mode that telnet(1) speaks of. Or these could be the same thing (telnet> mode ? suggests that) -Olaf. -- ___ Olaf 'Rhialto' Seibert -- "What good is a Ring of Power \X/ rhialto/at/falu.nl -- if you're unable...to Speak." - Agent Elrond signature.asc Description: PGP signature
Re: Moving telnet/telnetd from base to pkgsrc
Date:Wed, 19 Dec 2018 08:06:19 +1030 From:Brett Lymn Message-ID: <20181218213619.gb1...@internode.on.net> | I don't do this personally but I think there are people out there that | have older, slower machines on their local network Aside from that, telnet is quite quitable for communicating between DomU's on the same Dom0, or between Dom0 and its DomU's (where the only mitm is the hypervisor...) kre
Re: Moving telnet/telnetd from base to pkgsrc
On Tue, Dec 18, 2018 at 09:02:45AM -0500, Thor Lancelot Simon wrote: > > I see far less reason to keep the daemon than the client. I don't do this personally but I think there are people out there that have older, slower machines on their local network that take an inordinate amount of time to perform a ssh key exchange so telnet may be a better option for them. If people choose to punch holes in their feet using our provided tools then let it be on their heads. We don't ship with telnetd enabled, if someone chooses to enable it then that is up to them. Taking it away from them sort of smacks of condescension... "you are not smart enough to have this", something that OpenBSD has a habit of doing and I find that annoying to be honest. > But walking > up to a purportedly Unix system and finding that I don't have "telnet" > for quick TCP connection testing and have to use nc with all its weird > options that are inconsistent from version to version and annoying > behaviours like refusal to transmit ^C is, to me, even more repellent > than encountering color ls. > Yes, totally agree with this. One of my first actions when troubleshooting a network connection problem on a recent linux machine is to install telnet (and disable colour ls). -- Brett Lymn "We are were wolves", "You mean werewolves?", "No we were wolves, now we are something else entirely", "Oh"
Re: Moving telnet/telnetd from base to pkgsrc
On Sat, Dec 15, 2018 at 10:08:00PM +, Taylor R Campbell wrote: > > Given that a large fraction of respondents (though not all) indicated > that their primary use of telnet is to test reachability of a server > or manually enter SMTP or HTTP requests over the internet -- a use > which is adequately served by the much smaller and much more > confidence-inspiring usr.bin/nc -- I think this _does_ constitute a > serious danger that warrants the scrutiny it is getting. Apple removed it from OS X and it's a big pain in the ass. I'd suggest fix it (going at it with a big torch if necessary to remove likely dead and likely dangerous code -- many/most of the options, even things like linemode) and keep it. I'd be glad to help. I see far less reason to keep the daemon than the client. But walking up to a purportedly Unix system and finding that I don't have "telnet" for quick TCP connection testing and have to use nc with all its weird options that are inconsistent from version to version and annoying behaviours like refusal to transmit ^C is, to me, even more repellent than encountering color ls. Thor
Re: Moving telnet/telnetd from base to pkgsrc
On Dec 17, 10:24am, Marc Balmer wrote: } > Am 17.12.2018 um 08:57 schrieb Martin Husemann : } > On Sat, Dec 15, 2018 at 10:43:14PM +0100, Marc Balmer wrote: } >> To me it looks like one or two people don't like telnet and have become } >> very vocal and loud about removing it and did not invest a lot of thought } >> in to the cause. Yes, I call them *** } > } > Name calling and other personal insults have no place in our mailing lists. } > Please keep discussion content technical. We will deal with the incident } > privately. } } I want to clear a few things. } } An insult was not intended at all, I am sorry if you or someone } else was insulted. } } When I wrote "dummies" I actually meant that they did not think } the consequences to the end, I am not aware of any other meanings } of that word. Realizing that English is probably not your first language, I'll just point out the word "dummy" is often used as a synonym for "stupid" or "idiot". In terms of grades, it's a more minor insult, but the implication is there. However, failing to think about consequences is certainly a problem. Posting inflammatory comments is likely to get one burned. } As from a technical point of view, I think that both telnet and } telnetd have their valid uses, e.g. in a VPN/Ipsec environment, True, and this is the reason for the pushback. } where using ssh results in double encryption. } }-- End of excerpt from Marc Balmer
Re: Moving telnet/telnetd from base to pkgsrc
> Am 17.12.2018 um 08:57 schrieb Martin Husemann : > > On Sat, Dec 15, 2018 at 10:43:14PM +0100, Marc Balmer wrote: >> To me it looks like one or two people don't like telnet and have become >> very vocal and loud about removing it and did not invest a lot of thought >> in to the cause. Yes, I call them *** > > Name calling and other personal insults have no place in our mailing lists. > Please keep discussion content technical. We will deal with the incident > privately. I want to clear a few things. An insult was not intended at all, I am sorry if you or someone else was insulted. When I wrote "dummies" I actually meant that they did not think the consequences to the end, I am not aware of any other meanings of that word. To me that word is at the very most a very mild form of "personal insult" as you named it. However, that was not intendet. Unfortunately I have to realize that my wording was not wisely chosen, again, sorry about that. So here you have it, my apology. As from a technical point of view, I think that both telnet and telnetd have their valid uses, e.g. in a VPN/Ipsec environment, where using ssh results in double encryption.
Re: Moving telnet/telnetd from base to pkgsrc
On Sat, Dec 15, 2018 at 10:43:14PM +0100, Marc Balmer wrote: > To me it looks like one or two people don't like telnet and have become > very vocal and loud about removing it and did not invest a lot of thought > in to the cause. Yes, I call them *** Name calling and other personal insults have no place in our mailing lists. Please keep discussion content technical. We will deal with the incident privately. Martin on behalf of the Membership Committee.
Re: Moving telnet/telnetd from base to pkgsrc
On Dec 16, 4:16pm, m...@netbsd.org wrote: } } I asked to delete it but I was told it'd be socially inconvenient to do } so right now. You're a difficult bunch. No, actually we aren't. }-- End of excerpt from m...@netbsd.org
Re: Moving telnet/telnetd from base to pkgsrc
On Sun, Dec 16, 2018 at 08:11:09PM +, David Holland wrote: > I have found the 0.18pre1 tarballs if anyone wants them. Please share :-)
Re: Moving telnet/telnetd from base to pkgsrc
On Sun, Dec 16, 2018 at 07:02:27PM +, m...@netbsd.org wrote: > On Sun, Dec 16, 2018 at 01:54:24PM -0500, Christos Zoulas wrote: > > On Dec 16, 6:05pm, dholland-t...@netbsd.org (David Holland) wrote: > > -- Subject: Re: Moving telnet/telnetd from base to pkgsrc > > > > | On Sat, Dec 15, 2018 at 04:37:30PM +, Christos Zoulas wrote: > > | > I have already started fixing the telnet client code. There is not > > | > so much of it... > > | > > | Good luck with that. > > | > > | You want the diffs from my attempts twenty years ago or would you > > | rather repeat that work? :-/ > > > > Send them over. > > > > christos Here is the diff: https://www.netbsd.org/~dholland/tmp/netkit-telnet-0.18pre.diff 12000 lines... > They're also hosted here: > > 0.17 release: > https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/netkit-telnet/0.17-41.1/netkit-telnet_0.17.orig.tar.gz > patches from debian: > https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/netkit-telnet/0.17-41.1/netkit-telnet_0.17-41.1.debian.tar.xz > patches from fedora: > https://src.fedoraproject.org/cgit/rpms/telnet.git/tree/ 0.17 wasn't the latest; there was an 0.18pre1 and apparently an 0.18pre1a, but I don't remember the circumstances and they may not have got pushed out very far. I have found the 0.18pre1 tarballs if anyone wants them. Note that the 0.18pre README for telnet says The attempt to clean up telnet failed utterly. While this code base will still be maintained, features or major changes will not be accepted. (Unless they're substantial cleanups... but don't waste your time.) If you feel the urge to hack the telnet protocol, write a new implementation. The world will thank you. "will still be maintained" did not turn out to be very true, although apparently brave folks from debian and redhat still have been to some extent. Anyone doing anything with this should also pull in the existing debian and redhat patches. Plus while looking at it over the last couple days I noticed that ringbuf_printf in ring.c does the wrong thing on snprintf overflow and sends trash to the other end, which probably leaks local addresses. That should get fixed as part of any kind of merge. Also carray.[ch] is an old version of code we now have elsewhere in the tree and probably still has at least one bug that was found in that code since 2002... -- David A. Holland dholl...@netbsd.org
Re: Moving telnet/telnetd from base to pkgsrc
On Sun, Dec 16, 2018 at 01:54:24PM -0500, Christos Zoulas wrote: > On Dec 16, 6:05pm, dholland-t...@netbsd.org (David Holland) wrote: > -- Subject: Re: Moving telnet/telnetd from base to pkgsrc > > | On Sat, Dec 15, 2018 at 04:37:30PM +, Christos Zoulas wrote: > | > I have already started fixing the telnet client code. There is not > | > so much of it... > | > | Good luck with that. > | > | You want the diffs from my attempts twenty years ago or would you > | rather repeat that work? :-/ > > Send them over. > > christos They're also hosted here: 0.17 release: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/netkit-telnet/0.17-41.1/netkit-telnet_0.17.orig.tar.gz patches from debian: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/netkit-telnet/0.17-41.1/netkit-telnet_0.17-41.1.debian.tar.xz patches from fedora: https://src.fedoraproject.org/cgit/rpms/telnet.git/tree/
Re: Moving telnet/telnetd from base to pkgsrc
On Dec 16, 6:05pm, dholland-t...@netbsd.org (David Holland) wrote: -- Subject: Re: Moving telnet/telnetd from base to pkgsrc | On Sat, Dec 15, 2018 at 04:37:30PM +, Christos Zoulas wrote: | > I have already started fixing the telnet client code. There is not | > so much of it... | | Good luck with that. | | You want the diffs from my attempts twenty years ago or would you | rather repeat that work? :-/ Send them over. christos
Re: Moving telnet/telnetd from base to pkgsrc
On Sun, Dec 16, 2018 at 06:14:37PM +, m...@netbsd.org wrote: > On Sun, Dec 16, 2018 at 06:05:55PM +, David Holland wrote: > > On Sat, Dec 15, 2018 at 04:37:30PM +, Christos Zoulas wrote: > > > I have already started fixing the telnet client code. There is not > > > so much of it... > > > > Good luck with that. > > > > You want the diffs from my attempts twenty years ago or would you > > rather repeat that work? :-/ > > > > Your twenty year old version is still the most popular implementation! .. But it was hard to diff to it because of all the whitespace changes, so I have been mostly looking at openbsd.
Re: Moving telnet/telnetd from base to pkgsrc
On Sun, Dec 16, 2018 at 06:05:55PM +, David Holland wrote: > On Sat, Dec 15, 2018 at 04:37:30PM +, Christos Zoulas wrote: > > I have already started fixing the telnet client code. There is not > > so much of it... > > Good luck with that. > > You want the diffs from my attempts twenty years ago or would you > rather repeat that work? :-/ > Your twenty year old version is still the most popular implementation!
Re: Moving telnet/telnetd from base to pkgsrc
On Sat, Dec 15, 2018 at 04:37:30PM +, Christos Zoulas wrote: > I have already started fixing the telnet client code. There is not > so much of it... Good luck with that. You want the diffs from my attempts twenty years ago or would you rather repeat that work? :-/ -- David A. Holland dholl...@netbsd.org
Re: Moving telnet/telnetd from base to pkgsrc
On Sun, Dec 16, 2018 at 04:24:54PM +, m...@netbsd.org wrote: > > > Given that a large fraction of respondents (though not all) indicated > > > that their primary use of telnet is to test reachability of a server > > > or manually enter SMTP or HTTP requests over the internet -- a use > > > which is adequately served by the much smaller and much more > > > confidence-inspiring usr.bin/nc -- I think this _does_ constitute a > > > serious danger that warrants the scrutiny it is getting. > > > > If somebody knows the details of such a bug and wants to fix it, that > > seems uncontroversial. But we don't seem to be talking about that. > > https://mail-index.netbsd.org/source-changes/2018/12/12/msg101400.html > It being so trivial is embarrassing and a sign someone should have long > ago stepped in and made sense of the code. Nobody is going to step in and make sense of the code, because the code is beyond such measures. Cthulhu ph'tagn. If we really need a telnet client in base -- it seems to me that most of the arguments in this thread are blowing smoke, but whatever -- we need to write a new one. -- David A. Holland dholl...@netbsd.org
Re: Moving telnet/telnetd from base to pkgsrc
> Date: Sun, 16 Dec 2018 16:16:20 + > From: m...@netbsd.org > > Kerberos is only in authentication. The encryption code in the program > is DES. > I asked to delete it but I was told it'd be socially inconvenient to do > so right now. You're a difficult bunch. That is not true, and you know it, and you're apparently deliberately making it hard not to be difficult with you. I asked that a prerequisite for deletion be a nonjudgmental survey of its current users -- who I would guess use it for compatibility with existing applications rather than for security -- and I pointed out that a time when there is a heated discussion going on about a related topic, full of disrespect and misrepresentations and insults, is a bad time to even pretend to administer a nonjudgmental survey.
Re: Moving telnet/telnetd from base to pkgsrc
On Sun, Dec 16, 2018 at 10:33:25AM -0500, Greg Troxel wrote: > Taylor R Campbell writes: > > > Given that a large fraction of respondents (though not all) indicated > > that their primary use of telnet is to test reachability of a server > > or manually enter SMTP or HTTP requests over the internet -- a use > > which is adequately served by the much smaller and much more > > confidence-inspiring usr.bin/nc -- I think this _does_ constitute a > > serious danger that warrants the scrutiny it is getting. > > > > [*] Whether it can lead to arbitrary code execution, I don't know, and > > I'm not interested in studying further to find out; it doesn't > > take much to get arbitrary code execution, like a single null byte > > heap buffer overflow: > > > > https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html > > If somebody knows the details of such a bug and wants to fix it, that > seems uncontroversial. But we don't seem to be talking about that. https://mail-index.netbsd.org/source-changes/2018/12/12/msg101400.html It being so trivial is embarrassing and a sign someone should have long ago stepped in and made sense of the code.
Re: Moving telnet/telnetd from base to pkgsrc
On Sun, Dec 16, 2018 at 10:30:22AM -0500, Greg Troxel wrote: > > What's the deal wiht IPSEC? > > The protoocol is called IPsec (and often miscapitalized), and our kernel > option is IPSEC. > > > I've never used it, but I was under the impression it gives encryption > > for free for things that otherwise don't have it. > > It provides confidentiality and data origin authentication at the IP > level, via a per-packet protocol called Encapsulating Security Protocol. > > In this respect it is sort of like TLS, but operating at the IP layer > rather than the TCP layer. > > However, implementations of it are OS services, rather than code in user > space. (But the key management is in user space.) > > > Do all the programs need to have ipsec-specific goo to use it? telnet > > does, as well as having its own encryption code. > > No. One configures the use of IPsec via Security Policy Database > entries, which in NetBSD are managed via setkey(8). > > The encryption is telnet is I believe Kerberos. Kerberos predates IPsec > by a lot, and is based on symmetric cryptography only (which is all that > was feasible in the early 80s). As far as I know, Kerberos processing > is always done within the application program rather than being a kernel > service. Kerberos is only in authentication. The encryption code in the program is DES. I asked to delete it but I was told it'd be socially inconvenient to do so right now. You're a difficult bunch.
Re: Moving telnet/telnetd from base to pkgsrc
Taylor R Campbell writes: > Given that a large fraction of respondents (though not all) indicated > that their primary use of telnet is to test reachability of a server > or manually enter SMTP or HTTP requests over the internet -- a use > which is adequately served by the much smaller and much more > confidence-inspiring usr.bin/nc -- I think this _does_ constitute a > serious danger that warrants the scrutiny it is getting. > > [*] Whether it can lead to arbitrary code execution, I don't know, and > I'm not interested in studying further to find out; it doesn't > take much to get arbitrary code execution, like a single null byte > heap buffer overflow: > > https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html If somebody knows the details of such a bug and wants to fix it, that seems uncontroversial. But we don't seem to be talking about that.
Re: Moving telnet/telnetd from base to pkgsrc
> What's the deal wiht IPSEC? The protoocol is called IPsec (and often miscapitalized), and our kernel option is IPSEC. > I've never used it, but I was under the impression it gives encryption > for free for things that otherwise don't have it. It provides confidentiality and data origin authentication at the IP level, via a per-packet protocol called Encapsulating Security Protocol. In this respect it is sort of like TLS, but operating at the IP layer rather than the TCP layer. However, implementations of it are OS services, rather than code in user space. (But the key management is in user space.) > Do all the programs need to have ipsec-specific goo to use it? telnet > does, as well as having its own encryption code. No. One configures the use of IPsec via Security Policy Database entries, which in NetBSD are managed via setkey(8). The encryption is telnet is I believe Kerberos. Kerberos predates IPsec by a lot, and is based on symmetric cryptography only (which is all that was feasible in the early 80s). As far as I know, Kerberos processing is always done within the application program rather than being a kernel service.
Re: Moving telnet/telnetd from base to pkgsrc
On Sat, 15 Dec 2018, Taylor R Campbell wrote: Date: Sat, 15 Dec 2018 22:38:10 +0100 From: Anders Magnusson I'm pretty sure that all users of telnet know what the implications are. If they don't then it doesn't matter whether it is in base or not. One of the implications at the moment is that anyone on the internet between you and the remote host can crash your telnet client[*] with no user interaction beyond making a connection. This is _not_ the traditional and by now well-understood security problem of telnet that it has no secrecy or authentication. And cursory examination of the telnet code -- together with its origins in an era when the internet was a safe place -- does the opposite of inspiring confidence that this hole is isolated. Given that a large fraction of respondents (though not all) indicated that their primary use of telnet is to test reachability of a server or manually enter SMTP or HTTP requests over the internet -- a use which is adequately served by the much smaller and much more confidence-inspiring usr.bin/nc -- I think this _does_ constitute a serious danger that warrants the scrutiny it is getting. [*] Whether it can lead to arbitrary code execution, I don't know, and I'm not interested in studying further to find out; it doesn't take much to get arbitrary code execution, like a single null byte heap buffer overflow: https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html How do you want me to access my local appliances (and keep in mind more and more things are "new" by calling them IoT)? Python? I hate python, and I'm really not sure how that's better than Perl, except that most of the things people want me to do on Python doesn't work because of whaterver the Python packaging dependency hell is. And I wish people would quit bringing Firefox into this. It takes me the better part of a week to build Firefox, when it does build, because of that rust nonsense. -- Hisashi T Fujinaka - ht...@twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee
Re: Moving telnet/telnetd from base to pkgsrc
On Sat, 15 Dec 2018, Taylor R Campbell wrote: Date: Sat, 15 Dec 2018 22:43:14 +0100 From: Marc Balmer To me it looks like one or two people don't like telnet and have become very vocal and loud about removing it and did not invest a lot of thought in to the cause. Yes, I call them dummies This is not helpful whether you think the maintenance burden or danger to users is worth it or not. Please apologize and in the future avoid this kind of counterproductive name-calling. I'm not calling you dummies, but I would like to keep telnet. I also wanted to keep sendmail, though. -- Hisashi T Fujinaka - ht...@twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee
Re: Moving telnet/telnetd from base to pkgsrc
On Dec 15, 8:13pm, m...@netbsd.org wrote: } On Sat, Dec 15, 2018 at 01:45:04PM +0700, Robert Elz wrote: } > Date:Fri, 14 Dec 2018 21:28:34 -0800 } > From:John Nemeth } > Message-ID: <201812150528.wbf5syhr025...@server.cornerstoneservice.ca> } > } > | As kre noted, it is probably the oldest network application } > | around. According to Wikipedia, the protocol was developed in } > | 1969, predating TCP/IP, which means that it is probably the oldest } > | TCP/IP application there is. } > } > That's actually what I meant. I have no idea in which order the BSD } > applications were written (nor, for that matter, their original origins.) } > } > But if there are bugs in any of them (and that is not impossible, just as } > with any other software) then we should simply fix them, not just declare } > some apps as "too old, abandon it". } > } > I also simply cannot believe that any issue that might exist in telnet is } > going to be any worse than firefox with a http:// URL ... and I do not see } > anyone suggesting that firefox (and every other browser) should be } > abandoned. } } firefox makes an active effort to handle such things and recently had a } massive rewrite into a language better suited for large scale handling } of untrusted input. They also attempt to limit the impact of bugs with What evidence do you have that the language is better? Besides that, you can write a steaming pile of dung in any language. } sandboxing (although this doesn't apply for netbsd) Why not? } We can probably get away with keeping C for simple things like telnet, } but it takes fuzzing, love, and the willingness to limit the number of } features. Really? } The discussion about telnet was something like } "Why is doing more input processing after hitting an error? then again, } if I change this, there's probably a Rube Goldberg mistake of engineering } reason that it will break 80% of the remaining users of telnet (all } four of them)" This "all four of them" is a truly moronic comment. } "That is absolutely what will happen. That's what happens when you touch } telnet" } } Even the idae of writing a new one was rejected, because who is going to } test it against all the legacy servers today? The only person bring up that idea was you, and you rejected it yourself. Given that, by your own admission, it wouldn't be functional, it makes no sense to write it. }-- End of excerpt from m...@netbsd.org
Re: Moving telnet/telnetd from base to pkgsrc
On Dec 15, 8:58pm, m...@netbsd.org wrote: } A new version is easier to do without the promise of compatibility. It's always easy to make a non-functional version of something. } Anyway, I get it, another case of "please maintain legacy code forever } and never make significant changes to it". No, you don't "get it". }-- End of excerpt from m...@netbsd.org
Re: Moving telnet/telnetd from base to pkgsrc
On Dec 15, 7:46pm, m...@netbsd.org wrote: } On Sat, Dec 15, 2018 at 01:45:04PM +0700, Robert Elz wrote: } > Date:Fri, 14 Dec 2018 21:28:34 -0800 } > From:John Nemeth } > Message-ID: <201812150528.wbf5syhr025...@server.cornerstoneservice.ca> } > } > | As kre noted, it is probably the oldest network application } > | around. According to Wikipedia, the protocol was developed in } > | 1969, predating TCP/IP, which means that it is probably the oldest } > | TCP/IP application there is. } > } > That's actually what I meant. I have no idea in which order the BSD } > applications were written (nor, for that matter, their original origins.) } > } > But if there are bugs in any of them (and that is not impossible, just as } > with any other software) then we should simply fix them, not just declare } > some apps as "too old, abandon it". } > } > I also simply cannot believe that any issue that might exist in telnet is } > going to be any worse than firefox with a http:// URL ... and I do not see } > anyone suggesting that firefox (and every other browser) should be } > abandoned. } } A basic telnet client in python (taking into account the library it uses } as well) is 800 lines. } the netbsd telnet client is 16000 lines, taking into account libtelnet. This tells me that the python one likely doesn't speak the telnet protocol and therefore isn't a telnet client at all. } I literally deleted more lines of telnet than it takes to implement a } new line by unifdef'ing dead code. } } Hope that gives you an indication for how great our code is. These statements tell me absolutely nothing. }-- End of excerpt from m...@netbsd.org
Re: Moving telnet/telnetd from base to pkgsrc
> Am 15.12.2018 um 23:20 schrieb Alexander Nasonov : > > Taylor R Campbell wrote: >> I know English may not be your first language, so here's a couple of >> dictionary entries if you would like to read further: >> >> https://en.wiktionary.org/wiki/name-calling >> https://www.merriam-webster.com/dictionary/name-calling > > Patronising? Patronising or not (though I think he is, in this case), the fact he indicates links to name calling is telling a lot about his personality. If that is the style of cooperation in this group, then good night, fellows. We should swiftly get back to technicalities. > -- > Alex
Re: Moving telnet/telnetd from base to pkgsrc
On Sat, 15 Dec 2018, Marc Balmer wrote: a lot of thought in to the cause. Yes, I call them dummies What, no, I _never_ call anyone names! Lool Just to make one thing clear. I will not apologize. I see no need for that. Rude!
Re: Moving telnet/telnetd from base to pkgsrc
Taylor R Campbell wrote: > I know English may not be your first language, so here's a couple of > dictionary entries if you would like to read further: > > https://en.wiktionary.org/wiki/name-calling > https://www.merriam-webster.com/dictionary/name-calling Patronising? -- Alex
Re: Moving telnet/telnetd from base to pkgsrc
> Am 15.12.2018 um 23:17 schrieb Alexander Nasonov : > > Taylor R Campbell wrote: >> One of the implications at the moment is that anyone on the internet >> between you and the remote host can crash your telnet client[*] with >> no user interaction beyond making a connection. > > Index: ./usr.bin/telnet/telnet.1 > === > RCS file: /cvsroot/src/usr.bin/telnet/telnet.1,v > retrieving revision 1.34 > diff -p -u -u -r1.34 telnet.1 > --- ./usr.bin/telnet/telnet.1 3 Jul 2017 21:34:22 - 1.34 > +++ ./usr.bin/telnet/telnet.1 15 Dec 2018 22:15:48 - > @@ -1391,6 +1391,10 @@ Other environment variables may be propa > to the other side via the > .Dv TELNET ENVIRON > option. > +.Sh BUGS > +Anyone on the internet between you and the remote host can > +crash your telnet client with no user interaction beyond > +making a connection. > .Sh FILES > .Bl -tag -width ~/.telnetrc -compact > .It Pa ~/.telnetrc > > > Job done! Sweet! > > -- > Alex
Re: Moving telnet/telnetd from base to pkgsrc
Taylor R Campbell wrote: > One of the implications at the moment is that anyone on the internet > between you and the remote host can crash your telnet client[*] with > no user interaction beyond making a connection. Index: ./usr.bin/telnet/telnet.1 === RCS file: /cvsroot/src/usr.bin/telnet/telnet.1,v retrieving revision 1.34 diff -p -u -u -r1.34 telnet.1 --- ./usr.bin/telnet/telnet.1 3 Jul 2017 21:34:22 - 1.34 +++ ./usr.bin/telnet/telnet.1 15 Dec 2018 22:15:48 - @@ -1391,6 +1391,10 @@ Other environment variables may be propa to the other side via the .Dv TELNET ENVIRON option. +.Sh BUGS +Anyone on the internet between you and the remote host can +crash your telnet client with no user interaction beyond +making a connection. .Sh FILES .Bl -tag -width ~/.telnetrc -compact .It Pa ~/.telnetrc Job done! -- Alex
Re: Moving telnet/telnetd from base to pkgsrc
Am 15.12.2018 um 23:15 schrieb Taylor R Campbell : >> Date: Sat, 15 Dec 2018 22:54:05 +0100 >> From: Marc Balmer >> >> Am 15.12.2018 um 22:52 schrieb Taylor R Campbell >> : >> Date: Sat, 15 Dec 2018 22:43:14 +0100 From: Marc Balmer To me it looks like one or two people don't like telnet and have become very vocal and loud about removing it and did not invest a lot of thought in to the cause. Yes, I call them dummies >>> >>> This is not helpful whether you think the maintenance burden or danger >>> to users is worth it or not. Please apologize and in the future avoid >>> this kind of counterproductive name-calling. >> >> Apologize? For what? >> >> Name calling? Whom did I name? > > `Name-calling' is a idiom in English that means applying insulting > words to people. `Name-calling' does not necessarily entail naming > specific persons, who in this case you implied by context. > > I know English may not be your first language, so here's a couple of > dictionary entries if you would like to read further: > > https://en.wiktionary.org/wiki/name-calling > https://www.merriam-webster.com/dictionary/name-calling > > If you want to argue semantics about how to describe how you're being > insulting before you apologize, please take it off the list. Just to make one thing clear. I will not apologize. I see no need for that.
Re: Moving telnet/telnetd from base to pkgsrc
> Date: Sat, 15 Dec 2018 22:54:05 +0100 > From: Marc Balmer > > Am 15.12.2018 um 22:52 schrieb Taylor R Campbell > : > > >> Date: Sat, 15 Dec 2018 22:43:14 +0100 > >> From: Marc Balmer > >> > >> To me it looks like one or two people don't like telnet and > >> have become very vocal and loud about removing it and did not invest > >> a lot of thought in to the cause. Yes, I call them dummies > > > > This is not helpful whether you think the maintenance burden or danger > > to users is worth it or not. Please apologize and in the future avoid > > this kind of counterproductive name-calling. > > Apologize? For what? > > Name calling? Whom did I name? `Name-calling' is a idiom in English that means applying insulting words to people. `Name-calling' does not necessarily entail naming specific persons, who in this case you implied by context. I know English may not be your first language, so here's a couple of dictionary entries if you would like to read further: https://en.wiktionary.org/wiki/name-calling https://www.merriam-webster.com/dictionary/name-calling If you want to argue semantics about how to describe how you're being insulting before you apologize, please take it off the list.
Re: Moving telnet/telnetd from base to pkgsrc
Am 15.12.2018 um 23:08 schrieb Taylor R Campbell : >> Date: Sat, 15 Dec 2018 22:38:10 +0100 >> From: Anders Magnusson >> >> I'm pretty sure that all users of telnet know what the implications >> are. If they don't then it doesn't matter whether it is in base or not. > > One of the implications at the moment is that anyone on the internet > between you and the remote host can crash your telnet client[*] with > no user interaction beyond making a connection. Block http/https and Javascript if you want security on the internet... > > This is _not_ the traditional and by now well-understood security > problem of telnet that it has no secrecy or authentication. And > cursory examination of the telnet code -- together with its origins in > an era when the internet was a safe place -- does the opposite of > inspiring confidence that this hole is isolated. The internet was never a safe place and nobody ever claimed it was. It was insecure from the beginning, by design. > > Given that a large fraction of respondents (though not all) indicated > that their primary use of telnet is to test reachability of a server > or manually enter SMTP or HTTP requests over the internet -- a use > which is adequately served by the much smaller and much more > confidence-inspiring usr.bin/nc -- I think this _does_ constitute a > serious danger that warrants the scrutiny it is getting. I disagree. Both telnet and telnetd are still valid citizens in NetBSD Town. > > > [*] Whether it can lead to arbitrary code execution, I don't know, and >I'm not interested in studying further to find out; it doesn't >take much to get arbitrary code execution, like a single null byte >heap buffer overflow: > > https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
Re: Moving telnet/telnetd from base to pkgsrc
> Date: Sat, 15 Dec 2018 22:38:10 +0100 > From: Anders Magnusson > > I'm pretty sure that all users of telnet know what the implications > are. If they don't then it doesn't matter whether it is in base or not. One of the implications at the moment is that anyone on the internet between you and the remote host can crash your telnet client[*] with no user interaction beyond making a connection. This is _not_ the traditional and by now well-understood security problem of telnet that it has no secrecy or authentication. And cursory examination of the telnet code -- together with its origins in an era when the internet was a safe place -- does the opposite of inspiring confidence that this hole is isolated. Given that a large fraction of respondents (though not all) indicated that their primary use of telnet is to test reachability of a server or manually enter SMTP or HTTP requests over the internet -- a use which is adequately served by the much smaller and much more confidence-inspiring usr.bin/nc -- I think this _does_ constitute a serious danger that warrants the scrutiny it is getting. [*] Whether it can lead to arbitrary code execution, I don't know, and I'm not interested in studying further to find out; it doesn't take much to get arbitrary code execution, like a single null byte heap buffer overflow: https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
Re: Moving telnet/telnetd from base to pkgsrc
> Am 15.12.2018 um 23:00 schrieb m...@netbsd.org: > >> On Sat, Dec 15, 2018 at 10:38:10PM +0100, Anders Magnusson wrote: >>> Den 2018-12-15 kl. 22:11, skrev Marc Balmer: >>> Whatever. >>> >>> Please keep telnet and telnetd in base. They have their valid use cases. >>> >> Yes please. I have used both kerberized telnet and plain telnet last 12 >> months frequently. >> I don't think it's up to us try to tell people that "this SW may be insecure >> and we don't trust you of not knowing that, so we'll remove it instead". >> >> I'm pretty sure that all users of telnet know what the implications are. >> If they don't then it doesn't matter whether it is in base or not. >> >> -- Ragge > > What's the deal wiht IPSEC? > I've never used it, but I was under the impression it gives encryption > for free for things that otherwise don't have it. > > Do all the programs need to have ipsec-specific goo to use it? telnet > does, as well as having its own encryption code. Si tacuisses...
Re: Moving telnet/telnetd from base to pkgsrc
On Sat, Dec 15, 2018 at 10:38:10PM +0100, Anders Magnusson wrote: > Den 2018-12-15 kl. 22:11, skrev Marc Balmer: > > Whatever. > > > > Please keep telnet and telnetd in base. They have their valid use cases. > > > Yes please. I have used both kerberized telnet and plain telnet last 12 > months frequently. > I don't think it's up to us try to tell people that "this SW may be insecure > and we don't trust you of not knowing that, so we'll remove it instead". > > I'm pretty sure that all users of telnet know what the implications are. > If they don't then it doesn't matter whether it is in base or not. > > -- Ragge What's the deal wiht IPSEC? I've never used it, but I was under the impression it gives encryption for free for things that otherwise don't have it. Do all the programs need to have ipsec-specific goo to use it? telnet does, as well as having its own encryption code.
Re: Moving telnet/telnetd from base to pkgsrc
Am 15.12.2018 um 22:52 schrieb Taylor R Campbell : >> Date: Sat, 15 Dec 2018 22:43:14 +0100 >> From: Marc Balmer >> >> To me it looks like one or two people don't like telnet and >> have become very vocal and loud about removing it and did not invest >> a lot of thought in to the cause. Yes, I call them dummies > > This is not helpful whether you think the maintenance burden or danger > to users is worth it or not. Please apologize and in the future avoid > this kind of counterproductive name-calling. Apologize? For what? Name calling? Whom did I name?
Re: Moving telnet/telnetd from base to pkgsrc
> Date: Sat, 15 Dec 2018 22:43:14 +0100 > From: Marc Balmer > > To me it looks like one or two people don't like telnet and > have become very vocal and loud about removing it and did not invest > a lot of thought in to the cause. Yes, I call them dummies This is not helpful whether you think the maintenance burden or danger to users is worth it or not. Please apologize and in the future avoid this kind of counterproductive name-calling.
Re: Moving telnet/telnetd from base to pkgsrc
> Am 15.12.2018 um 22:38 schrieb Anders Magnusson : > >> Den 2018-12-15 kl. 22:11, skrev Marc Balmer: >> Whatever. >> >> Please keep telnet and telnetd in base. They have their valid use cases. >> > Yes please. I have used both kerberized telnet and plain telnet last 12 > months frequently. I often use telnet over VPN (ipsec) connections. Using it prevents double encryption that I would encur if using ssh. Telnet + ipsec is a secure thing. > I don't think it's up to us try to tell people that "this SW may be insecure > and we don't trust you of not knowing that, so we'll remove it instead". To me it looks like one or two people don‘t like telnet and have become very vocal and loud about removing it and did not invest a lot of thought in to the cause. Yes, I call them dummies > > I'm pretty sure that all users of telnet know what the implications are. If > they don't then it doesn't matter whether it is in base or not. > > -- Ragge
Re: Moving telnet/telnetd from base to pkgsrc
Den 2018-12-15 kl. 22:11, skrev Marc Balmer: Whatever. Please keep telnet and telnetd in base. They have their valid use cases. Yes please. I have used both kerberized telnet and plain telnet last 12 months frequently. I don't think it's up to us try to tell people that "this SW may be insecure and we don't trust you of not knowing that, so we'll remove it instead". I'm pretty sure that all users of telnet know what the implications are. If they don't then it doesn't matter whether it is in base or not. -- Ragge
Re: Moving telnet/telnetd from base to pkgsrc
Whatever. Please keep telnet and telnetd in base. They have their valid use cases. Thanks, -mb > Am 15.12.2018 um 22:06 schrieb m...@netbsd.org: > >> On Sat, Dec 15, 2018 at 09:55:34PM +0100, Marc Balmer wrote: >> Is telnet / telnetd less of a risk to our users if it is in pkgsrc rather >> than in base? >> >> Is pkgsrc the toilet for software you don‘t want to see in base? >> >> Is pkgsrc your personal toilet? >> >> I have good use for telnet and telnetd. I don‘t want it to be removed from >> base. >> >> -mb >> > > pkgsrc means I can do this: > https://paste.ubuntu.com/p/S4hKN82BrC/ > >> ./telnetc.py localhost > Enter your remote account: fly > Password: > for fly@planets: > Last login: Sat Dec 15 15:14:46 2018 on console > Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, >2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, >2018 The NetBSD Foundation, Inc. All rights reserved. > Copyright (c) 1982, 1986, 1989, 1991, 1993 >The Regents of the University of California. All rights reserved. > > NetBSD 8.99.27 (GENERIC) #5: Tue Dec 11 20:55:49 IST 2018 > > Welcome to NetBSD! >
Re: Moving telnet/telnetd from base to pkgsrc
> > Anyway, I get it, another case of "please maintain legacy code forever > and never make significant changes to it". Don‘t be stupid. I did not say that.
Re: Moving telnet/telnetd from base to pkgsrc
On Sat, Dec 15, 2018 at 09:55:34PM +0100, Marc Balmer wrote: > Is telnet / telnetd less of a risk to our users if it is in pkgsrc rather > than in base? > > Is pkgsrc the toilet for software you don‘t want to see in base? > > Is pkgsrc your personal toilet? > > I have good use for telnet and telnetd. I don‘t want it to be removed from > base. > > -mb > pkgsrc means I can do this: https://paste.ubuntu.com/p/S4hKN82BrC/ > ./telnetc.py localhost Enter your remote account: fly Password: for fly@planets: Last login: Sat Dec 15 15:14:46 2018 on console Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 The NetBSD Foundation, Inc. All rights reserved. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. NetBSD 8.99.27 (GENERIC) #5: Tue Dec 11 20:55:49 IST 2018 Welcome to NetBSD!
Re: Moving telnet/telnetd from base to pkgsrc
A new version is easier to do without the promise of compatibility. Anyway, I get it, another case of "please maintain legacy code forever and never make significant changes to it".
Re: Moving telnet/telnetd from base to pkgsrc
Is telnet / telnetd less of a risk to our users if it is in pkgsrc rather than in base? Is pkgsrc the toilet for software you don‘t want to see in base? Is pkgsrc your personal toilet? I have good use for telnet and telnetd. I don‘t want it to be removed from base. -mb
Re: Moving telnet/telnetd from base to pkgsrc
On Sat, Dec 15, 2018 at 01:45:04PM +0700, Robert Elz wrote: > Date:Fri, 14 Dec 2018 21:28:34 -0800 > From:John Nemeth > Message-ID: <201812150528.wbf5syhr025...@server.cornerstoneservice.ca> > > | As kre noted, it is probably the oldest network application > | around. According to Wikipedia, the protocol was developed in > | 1969, predating TCP/IP, which means that it is probably the oldest > | TCP/IP application there is. > > That's actually what I meant. I have no idea in which order the BSD > applications were written (nor, for that matter, their original origins.) > > But if there are bugs in any of them (and that is not impossible, just as > with any other software) then we should simply fix them, not just declare > some apps as "too old, abandon it". > > I also simply cannot believe that any issue that might exist in telnet is > going to be any worse than firefox with a http:// URL ... and I do not see > anyone suggesting that firefox (and every other browser) should be > abandoned. firefox makes an active effort to handle such things and recently had a massive rewrite into a language better suited for large scale handling of untrusted input. They also attempt to limit the impact of bugs with sandboxing (although this doesn't apply for netbsd) We can probably get away with keeping C for simple things like telnet, but it takes fuzzing, love, and the willingness to limit the number of features. The discussion about telnet was something like "Why is doing more input processing after hitting an error? then again, if I change this, there's probably a Rube Goldberg mistake of engineering reason that it will break 80% of the remaining users of telnet (all four of them)" "That is absolutely what will happen. That's what happens when you touch telnet" Even the idae of writing a new one was rejected, because who is going to test it against all the legacy servers today?
Re: Moving telnet/telnetd from base to pkgsrc
On Sat, Dec 15, 2018 at 01:45:04PM +0700, Robert Elz wrote: > Date:Fri, 14 Dec 2018 21:28:34 -0800 > From:John Nemeth > Message-ID: <201812150528.wbf5syhr025...@server.cornerstoneservice.ca> > > | As kre noted, it is probably the oldest network application > | around. According to Wikipedia, the protocol was developed in > | 1969, predating TCP/IP, which means that it is probably the oldest > | TCP/IP application there is. > > That's actually what I meant. I have no idea in which order the BSD > applications were written (nor, for that matter, their original origins.) > > But if there are bugs in any of them (and that is not impossible, just as > with any other software) then we should simply fix them, not just declare > some apps as "too old, abandon it". > > I also simply cannot believe that any issue that might exist in telnet is > going to be any worse than firefox with a http:// URL ... and I do not see > anyone suggesting that firefox (and every other browser) should be > abandoned. > > kre > A basic telnet client in python (taking into account the library it uses as well) is 800 lines. the netbsd telnet client is 16000 lines, taking into account libtelnet. I literally deleted more lines of telnet than it takes to implement a new line by unifdef'ing dead code. Hope that gives you an indication for how great our code is.
Re: Moving telnet/telnetd from base to pkgsrc
It won't be hard to write a telnet client that does all of that, but it's not going to have 100% compatibility with the existing client in netbsd and it will never be tested against ancient telnet servers, so it won't be accepted as a replacement.
Re: Moving telnet/telnetd from base to pkgsrc
In article <20181215090320.gb17...@mail.duskware.de>, Martin Husemann wrote: >On Sat, Dec 15, 2018 at 09:49:06AM +0100, Micha? Górny wrote: >> To be honest, I don't think you can pull this. Not because telnet is >> necessary but because Windows-origin users are used to think of telnet >> as netcat, and rarely realizing all the dragons hidden there. Changing >> your habits is hard. > >Telnet is NOT netcat. > >I need line mode and "send brk" at least on top of what nc (AFAIK) provides. I have already started fixing the telnet client code. There is not so much of it... christos
Re: Moving telnet/telnetd from base to pkgsrc
On Sat, Dec 15, 2018 at 09:49:06AM +0100, Micha? Górny wrote: > To be honest, I don't think you can pull this. Not because telnet is > necessary but because Windows-origin users are used to think of telnet > as netcat, and rarely realizing all the dragons hidden there. Changing > your habits is hard. Telnet is NOT netcat. I need line mode and "send brk" at least on top of what nc (AFAIK) provides. Martin
Re: Moving telnet/telnetd from base to pkgsrc
On Thu, 2018-12-13 at 22:50 +, co...@sdf.org wrote: > Hi, > > telnet: > 1. terrible code, with many abstraction violations > 2. something people expect to talk to their legacy machines, which > nobody but them has access to. > 3. common use case is served by netcat, already in base. > 4. too much superfluous functionality. > > Let's pull it out as a package, the alternative being breaking > functionality for the four remaining users. > > send hate mail my way. To be honest, I don't think you can pull this. Not because telnet is necessary but because Windows-origin users are used to think of telnet as netcat, and rarely realizing all the dragons hidden there. Changing your habits is hard. -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part
Re: Moving telnet/telnetd from base to pkgsrc
Date:Fri, 14 Dec 2018 21:28:34 -0800 From:John Nemeth Message-ID: <201812150528.wbf5syhr025...@server.cornerstoneservice.ca> | As kre noted, it is probably the oldest network application | around. According to Wikipedia, the protocol was developed in | 1969, predating TCP/IP, which means that it is probably the oldest | TCP/IP application there is. That's actually what I meant. I have no idea in which order the BSD applications were written (nor, for that matter, their original origins.) But if there are bugs in any of them (and that is not impossible, just as with any other software) then we should simply fix them, not just declare some apps as "too old, abandon it". I also simply cannot believe that any issue that might exist in telnet is going to be any worse than firefox with a http:// URL ... and I do not see anyone suggesting that firefox (and every other browser) should be abandoned. kre
Re: Moving telnet/telnetd from base to pkgsrc
On Dec 14, 4:22pm, co...@sdf.org wrote: } } You know I'm writing this as telnet on netbsd is vulnerable to remote } exploits, and everyone that can MITM you can do that to you whenever you } 'telnet to see if ports are open'? Name the remote exploit! And, don't tell me about MITM. }-- End of excerpt from co...@sdf.org
Re: Moving telnet/telnetd from base to pkgsrc
On Dec 14, 1:21pm, Taylor R Campbell wrote: } > Date: Fri, 14 Dec 2018 09:46:08 +0100 } > From: Edgar Fuß } > } > > Y'all seem to think it's totally reasonable to telnet in the open internet } > What's the problem with "telnet www.uni-bonn.de http"? } } If the telnet client is remotely exploitable then that exposes you to } exploitation by www.uni-bonn.de and by anyone on the internet between } you and www.uni-bonn.de. The attack surface is unmaintained network } code from the '80s. } } > Date: Fri, 14 Dec 2018 02:13:40 -0800 } > From: John Nemeth } > } > This statement is total nonsense. It works just fine. And, } > it's not like there is a crap-ton of CVEs against it. In fact, } > there have been almost none, which is pretty impressive considering } > how old the code is. } } This reflects how little attention telnet has gotten, not how much } scrutiny it has withstood. That is certainly one interpretation. But, I'm going to disagree. As kre noted, it is probably the oldest network application around. According to Wikipedia, the protocol was developed in 1969, predating TCP/IP, which means that it is probably the oldest TCP/IP application there is. It continued to be used long after SSH became common. In fact, the last major issue that comes to my mind, which was in telnetd, was found long after SSH became common. I'm quite sure that it has received a lot of scrutiny over the years. } If it is used only on a carefully isolated network for something like } a serial management console, that's not really worse than the security } of a lot of management console tooling, but it's not clear to me that } it needs to be in base any more than ipmitool or amtterm. We should I actually wouldn't mind seeing ipmitool in base. Of course, it would be better if our kernel driver was capable of doing more then just reading a handful of sensors, like actually being able to do things like configure the IPMI network settings. ipmitool is very useful for people running real servers. The biggest limitation is our sucky ipmi(4). } at least have warnings on it until someone takes up maintenance not to } use it on the open internet. This is like putting a warning on a gun that says, "don't point at self". This might be considered sensible in the highly litigious US, but for most of the world, this is a ridiculous notion. BTW, even if "someone takes up maintenance" it would still be an unencrypted protocol, so it still wouldn't be usable in a security sensitive setting. Furthermore, why make life more difficult for us crusty old people for no particularly good reason? I've been using telnet to manually do SMTP since the late 80s. Yes, I could learn nc, but I prefer to spend my time on more important tasks that then replacing things that work perfectly well. }-- End of excerpt from Taylor R Campbell
Re: Moving telnet/telnetd from base to pkgsrc
On Fri, Dec 14, 2018 at 04:53:06PM +, Taylor R Campbell wrote: > There is an exploit being privately circulated, which is what prompted > this discussion in the first place, and an advisory is presumably > forthcoming. Two local 'exploits', one that had been fixed more than 13 years ago (with proper CVEs), both require careful preparation by the user to be triggered. Isn't that far from 'remote exploit' and 'everyone who can MITM can do that'? -- Michael van Elst Internet: mlel...@serpens.de "A potential Snark may lurk in every tree."
Re: Moving telnet/telnetd from base to pkgsrc
> Date: Fri, 14 Dec 2018 16:34:47 - (UTC) > From: mlel...@serpens.de (Michael van Elst) > > co...@sdf.org writes: > > >You know I'm writing this as telnet on netbsd is vulnerable to remote > >exploits, and everyone that can MITM you can do that to you whenever you > >'telnet to see if ports are open'? > > Obviously wrong. This is not a helpful response. What, specifically, is wrong, and why is it obvious? There is an exploit being privately circulated, which is what prompted this discussion in the first place, and an advisory is presumably forthcoming.
Re: Moving telnet/telnetd from base to pkgsrc
co...@sdf.org writes: >You know I'm writing this as telnet on netbsd is vulnerable to remote >exploits, and everyone that can MITM you can do that to you whenever you >'telnet to see if ports are open'? Obviously wrong. -- -- Michael van Elst Internet: mlel...@serpens.de "A potential Snark may lurk in every tree."
Re: Moving telnet/telnetd from base to pkgsrc
Greg Troxel wrote in : |Robert Elz writes: | |> It does no harm as it is, if you don't use the client, all it does is |> occupy a couple of hundred blocks (nothing), the server is not |> enabled by default, and it is even smaller. | |I agree. I use it often, to see if TCP ports are open and hand-type |smtp or http. | |Another point is that as a BSD system, we at least used to have a |respect for history and tradition. That has to have a balance - we did |get rid of sendmail. But removing longstanding programs (that don't run |by default) because some people don't like them, as part of what feels |like a larger deletionist crusade, is not ok. I like that. --End of --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Moving telnet/telnetd from base to pkgsrc
You know I'm writing this as telnet on netbsd is vulnerable to remote exploits, and everyone that can MITM you can do that to you whenever you 'telnet to see if ports are open'?
Re: Moving telnet/telnetd from base to pkgsrc
On 12/14/18 2:21 PM, Taylor R Campbell wrote: We should at least have warnings on it until someone takes up maintenance not to use it on the open internet. This comes around to me similar to having a notice in the cup of coffee just bought "Caution: content may be hot", or instructions for the microwave oven "Do not use to dry wet pets". Where is humanity heading to? Has common knowledge and intelligence diminished that much during the last decades? regards, chris
Re: Moving telnet/telnetd from base to pkgsrc
campbell+netbsd-tech-userle...@mumble.net (Taylor R Campbell) writes: >If the telnet client is remotely exploitable Is it? -- -- Michael van Elst Internet: mlel...@serpens.de "A potential Snark may lurk in every tree."
Re: Moving telnet/telnetd from base to pkgsrc
> Date: Fri, 14 Dec 2018 09:46:08 +0100 > From: Edgar Fuß > > > Y'all seem to think it's totally reasonable to telnet in the open internet > What's the problem with "telnet www.uni-bonn.de http"? If the telnet client is remotely exploitable then that exposes you to exploitation by www.uni-bonn.de and by anyone on the internet between you and www.uni-bonn.de. The attack surface is unmaintained network code from the '80s. > Date: Fri, 14 Dec 2018 02:13:40 -0800 > From: John Nemeth > > This statement is total nonsense. It works just fine. And, > it's not like there is a crap-ton of CVEs against it. In fact, > there have been almost none, which is pretty impressive considering > how old the code is. This reflects how little attention telnet has gotten, not how much scrutiny it has withstood. If it is used only on a carefully isolated network for something like a serial management console, that's not really worse than the security of a lot of management console tooling, but it's not clear to me that it needs to be in base any more than ipmitool or amtterm. We should at least have warnings on it until someone takes up maintenance not to use it on the open internet.
Re: Moving telnet/telnetd from base to pkgsrc
Robert Elz writes: > It does no harm as it is, if you don't use the client, all it does is > occupy a couple of hundred blocks (nothing), the server is not > enabled by default, and it is even smaller. I agree. I use it often, to see if TCP ports are open and hand-type smtp or http. Another point is that as a BSD system, we at least used to have a respect for history and tradition. That has to have a balance - we did get rid of sendmail. But removing longstanding programs (that don't run by default) because some people don't like them, as part of what feels like a larger deletionist crusade, is not ok.
Re: Moving telnet/telnetd from base to pkgsrc
> Date: Fri, 14 Dec 2018 09:41:20 +0100 > From: Edgar Fuß > > > send hate mail my way. > I guess you are over-looking my (and probably a lot of other network > administrator's) primary use case for /usr/bin/telnet: connect to a > HTTP/SMTP/IMAP/whatever port and speak the protocol. That's what we have /usr/bin/nc for. No need for the unmaintained complexity of a telnet stack with an '80s network security engineering mindset to do that.
Re: Moving telnet/telnetd from base to pkgsrc
On Dec 14, 4:56am, co...@sdf.org wrote: } } The maintenance burden is as follows: } } - Y'all seem to think it's totally reasonable to telnet in the open } internet Nobody thinks it should be used in the open internet in any situation where security is required, at least not without using one of the secure authentication extensions. } This means it begs for a rewrite This statement is total nonsense. It works just fine. And, it's not like there is a crap-ton of CVEs against it. In fact, there have been almost none, which is pretty impressive considering how old the code is. } - You'd want some esoteric functionality preserved You mean like the telnet protocol which can in no way be described as esoteric? } This means rewriting it isn't going to happen Given that there is no particular reason for it to happen, this isn't a problem. BTW, I wouldn't call rewriting it, "maintenance". }-- End of excerpt from co...@sdf.org
Re: Moving telnet/telnetd from base to pkgsrc
On Fri, 14 Dec 2018, Edgar Fu? wrote: send hate mail my way. I guess you are over-looking my (and probably a lot of other network administrator's) primary use case for /usr/bin/telnet: connect to a HTTP/SMTP/IMAP/whatever port and speak the protocol. Yep, there's still a lot of network gear out there that doesn't have a built-in pseudo-browser-for-device-management. On second thought, I think I'd prefer telnet over http anyway, even if the device _did_ have a pseudo-browser. :) +--+--++ | Paul Goyette | PGP Key fingerprint: | E-mail addresses: | | (Retired)| FA29 0E3B 35AF E8AE 6651 | paul at whooppee dot com | | Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd dot org | +--+--++
Re: Moving telnet/telnetd from base to pkgsrc
> Y'all seem to think it's totally reasonable to telnet in the open internet What's the problem with "telnet www.uni-bonn.de http"?
Re: Moving telnet/telnetd from base to pkgsrc
> send hate mail my way. I guess you are over-looking my (and probably a lot of other network administrator's) primary use case for /usr/bin/telnet: connect to a HTTP/SMTP/IMAP/whatever port and speak the protocol.
Re: Moving telnet/telnetd from base to pkgsrc
Date:Fri, 14 Dec 2018 04:56:02 + From:co...@sdf.org Message-ID: <20181214045601.ga12...@sdf.org> | The maintenance burden is as follows: | | - Y'all seem to think it's totally reasonable to telnet in the open | internet | | This means it begs for a rewrite | | - You'd want some esoteric functionality preserved | | This means rewriting it isn't going to happen How does any of that change if telnet were in pkgsrc ? Except that then it would probably need a bunch more work as pkgsrc runs on more than NetBSD. Futther, telnet is just fine on the internet - it is, after all, the internet's first application protocol, so it has kind of proved its worth. Sending passwords cleartext isn't a good idea, but that isn't always what it is used for - many of the other older protocols (FTP, and its offshoot SMTP come to mind) are based upon telnet and the telnet client is useful for testing them, and as others have said, it has many local LAN type uses (precisely because it is supported everywhere.) It does no harm as it is, if you don't use the client, all it does is occupy a couple of hundred blocks (nothing), the server is not enabled by default, and it is even smaller. kre
Re: Moving telnet/telnetd from base to pkgsrc
On 14.12.2018 06:40, Kamil Rytarowski wrote: > On 13.12.2018 23:50, co...@sdf.org wrote: >> Hi, >> >> telnet: >> 1. terrible code, with many abstraction violations >> 2. something people expect to talk to their legacy machines, which >> nobody but them has access to. Actually telnet is used actively by modern evb !x86 boards to access firmware console or serial port. Without naming them, this includes high-end aarch64 servers (I used telnet to work with them). >> 3. common use case is served by netcat, already in base. >> 4. too much superfluous functionality. >> >> Let's pull it out as a package, the alternative being breaking >> functionality for the four remaining users. >> >> send hate mail my way. >> > > I'm against. telnet is useful for networking. It's used in embedded, > virtualization (qemu, simh, ...) and some public services. > signature.asc Description: OpenPGP digital signature
Re: Moving telnet/telnetd from base to pkgsrc
On 13.12.2018 23:50, co...@sdf.org wrote: > Hi, > > telnet: > 1. terrible code, with many abstraction violations > 2. something people expect to talk to their legacy machines, which > nobody but them has access to. > 3. common use case is served by netcat, already in base. > 4. too much superfluous functionality. > > Let's pull it out as a package, the alternative being breaking > functionality for the four remaining users. > > send hate mail my way. > I'm against. telnet is useful for networking. It's used in embedded, virtualization (qemu, simh, ...) and some public services. signature.asc Description: OpenPGP digital signature
Re: Moving telnet/telnetd from base to pkgsrc
On Fri, 14 Dec 2018, Sevan Janiyan wrote: On 13/12/2018 22:50, co...@sdf.org wrote: telnet: 1. terrible code, with many abstraction violations 2. something people expect to talk to their legacy machines, which nobody but them has access to. 3. common use case is served by netcat, already in base. 4. too much superfluous functionality. On the slower systems that we support, we avoid the lengthy (45min+) ssh-keygen process so it's much quicker to get up and running with things from scratch. Especially if you are testing from scratch regularly. Am I the only one who uses telnet to make sure web servers are working sometimes? I might need to learn how to do that with netcat or something else. -- Hisashi T Fujinaka - ht...@twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee
Re: Moving telnet/telnetd from base to pkgsrc
The maintenance burden is as follows: - Y'all seem to think it's totally reasonable to telnet in the open internet This means it begs for a rewrite - You'd want some esoteric functionality preserved This means rewriting it isn't going to happen
Re: Moving telnet/telnetd from base to pkgsrc
On Dec 13, 10:50pm, co...@sdf.org wrote: } } telnet: } 1. terrible code, with many abstraction violations } 2. something people expect to talk to their legacy machines, which } nobody but them has access to. } 3. common use case is served by netcat, already in base. } 4. too much superfluous functionality. } } Let's pull it out as a package, the alternative being breaking } functionality for the four remaining users. } } send hate mail my way. Here's your hate mail. Stop with @#$!@$ deletenik stuff. Seriously, telnet is basic network functionality. It is also self-contained and doesn't require any maintenance. Thus it doesn't cause any problems for anybody doing maintenance on NetBSD. There is no reason to remove it. Also, you can't be serious in claiming that netcat can replace telnet. }-- End of excerpt from co...@sdf.org
Re: Moving telnet/telnetd from base to pkgsrc
On 13/12/2018 22:50, co...@sdf.org wrote: > telnet: > 1. terrible code, with many abstraction violations > 2. something people expect to talk to their legacy machines, which > nobody but them has access to. > 3. common use case is served by netcat, already in base. > 4. too much superfluous functionality. On the slower systems that we support, we avoid the lengthy (45min+) ssh-keygen process so it's much quicker to get up and running with things from scratch. Especially if you are testing from scratch regularly. Sevan
Re: Moving telnet/telnetd from base to pkgsrc
On Fri, 14 Dec 2018 00:06:18 +0100 Manuel Bouyer wrote: > On Thu, Dec 13, 2018 at 10:50:30PM +, co...@sdf.org wrote: > > Hi, > > > > telnet: > > 1. terrible code, with many abstraction violations > > 2. something people expect to talk to their legacy machines, which > > nobody but them has access to. > > 3. common use case is served by netcat, already in base. > > 4. too much superfluous functionality. > > > > Let's pull it out as a package, the alternative being breaking > > functionality for the four remaining users. > > Actually, lots of mananged network equipements (or remote management boards) > can talk telnet. It still has its use. > > -- > Manuel Bouyer > NetBSD: 26 ans d'experience feront toujours la difference > -- Also, you can tie a xen guest serial console to a port and access via telnet — handy if you want to use screen to manage them, for example. I don't really use netcat very much, so maybe I'm missing something, but a program that exists when cntrl-c is used seems less than ideal in many cases. It doesn't bother me if it's moved to pkgsrc, but are there people running embedded systems who might need telnet, but really don't want pkgsrc installed? HW
Re: Moving telnet/telnetd from base to pkgsrc
Manuel Bouyer wrote: > On Thu, Dec 13, 2018 at 10:50:30PM +, co...@sdf.org wrote: > > Hi, > > > > telnet: > > [ ... ] > > Let's pull it out as a package, the alternative being breaking > > functionality for the four remaining users. > > Actually, lots of mananged network equipements (or remote management boards) > can talk telnet. It still has its use. Including many brands of terminal servers. I connect to the console of most of the computers at home with telnet. Cheers, Simon.
Re: Moving telnet/telnetd from base to pkgsrc
On Thu, Dec 13, 2018 at 10:50:30PM +, co...@sdf.org wrote: > Hi, > > telnet: > 1. terrible code, with many abstraction violations > 2. something people expect to talk to their legacy machines, which > nobody but them has access to. > 3. common use case is served by netcat, already in base. > 4. too much superfluous functionality. > > Let's pull it out as a package, the alternative being breaking > functionality for the four remaining users. Actually, lots of mananged network equipements (or remote management boards) can talk telnet. It still has its use. -- Manuel Bouyer NetBSD: 26 ans d'experience feront toujours la difference --
Moving telnet/telnetd from base to pkgsrc
Hi, telnet: 1. terrible code, with many abstraction violations 2. something people expect to talk to their legacy machines, which nobody but them has access to. 3. common use case is served by netcat, already in base. 4. too much superfluous functionality. Let's pull it out as a package, the alternative being breaking functionality for the four remaining users. send hate mail my way.