[I wasn't sure whether this is more suited to comp.os.linux.misc
or comp.os.linux.networking ]

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach and
my questions are:

1. Which packages need to be installed on the computers ?

2. What should I enter into which configuration files for A to
only accept connections from B ?

3. Can it be done safely without having to enter a password on
B when I want to connect to A ?

I can read man pages but some pointers on what terms or files I
should look for would be useful.

--
vlaho.ninja/prog

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-11 12:11, Spiros Bousbouras wrote:

[I wasn't sure whether this is more suited to comp.os.linux.misc
or comp.os.linux.networking ]

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach and
my questions are:

ssh is indeed the right approach.

1. Which packages need to be installed on the computers ?

I'll leave this question to others, as I'm not familiar with your distro.

You need the client, and the daemon. In openSUSE, it is openssh-clients
and openssh-server, and they are installed by default.

2. What should I enter into which configuration files for A to
only accept connections from B ?

Huh. I do that in the firewall.

3. Can it be done safely without having to enter a password on
B when I want to connect to A ?

That can be done exchanging encrypted keys between both machines, and protecting those keys with no password. Or, the desktop can cache the
password.


--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11/06/2023 11:11, Spiros Bousbouras wrote:

[I wasn't sure whether this is more suited to comp.os.linux.misc
or comp.os.linux.networking ]

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

Mmm. I never had a lot of success with X11 forwarding

I assume that something SSH related is the right approach and
my questions are:

1. Which packages need to be installed on the computers ?

2. What should I enter into which configuration files for A to
only accept connections from B ?

3. Can it be done safely without having to enter a password on
B when I want to connect to A ?

I can read man pages but some pointers on what terms or files I
should look for would be useful.

First of all it is helpful to configure the machines on fixed IP address
rather than dynamically allocated ones . You can do this my causing your
router to recognise theor MAC addresses and associating them with a
static IP address, or you can assign a static IP address (and gateway
and nameserver) and not use DHCP.

The second handy tip is, unless you want to set up local DNS, to set up /etc/hosts on both machines to reflect the other machines address, so
you can contact them by name.

To get secure passwordless ssh connections is a matter of installing the
ssh packages and looking up one of the many in depth tutorials on how to
set up using public/private keys.

https://linuxize.com/post/how-to-setup-passwordless-ssh-login/

ssh can be restricted to access from specified IP address, by specified
users. Again tutorials are numerous. But if you disable password access
and use keys to validate, you achieve the same results anyway.

Once you have seamless ssh, you can access files systems that you as a
user have authority over using sshfs protocols

I am not up to day on X fowarding, so I will pass on that. I believe
that too can pass over ssh.


--
I would rather have questions that cannot be answered...
...than to have answers that cannot be questioned

Richard Feynman

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-11 12:47, The Natural Philosopher wrote:

On 11/06/2023 11:11, Spiros Bousbouras wrote:

I am not up to day on X fowarding, so I will pass on that. I believe
that too can pass over ssh.

Yes.

You do:

ssh -X username@192.168.2.18


--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Carlos E.R." <robin_listas@es.invalid> writes:

On 2023-06-11 12:47, The Natural Philosopher wrote:

On 11/06/2023 11:11, Spiros Bousbouras wrote:

I am not up to day on X fowarding, so I will pass on that. I believe
that too can pass over ssh.

Yes.

You do:

ssh -X username@192.168.2.18

You can also reduce overhead using the compression flag:

ssh -CX username@192.168.2.18

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 11 Jun 2023 06:11:48 -0400, Spiros Bousbouras <spibou@gmail.com> wrote:

[I wasn't sure whether this is more suited to comp.os.linux.misc
or comp.os.linux.networking ]

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach and
my questions are:

For computers accessed over the internet, I use ssh with X forwarding, and within my lan where I want the program running on one computer with the gui displayed on another.

For sharing files within my lan, I use sshfs.

I also use synergy. I log in on both computers and start synergy on both.
The server is the one which has the keyboard/mouse I prefer connected,
the other is the client. Both computers must be running the same version
of synergy.

Note the program synergy-gui which can be used to create config files is payware, but it's not needed as the config files can be created manually.
The actual synergy server/client programs are open source.

Creating the config file manually is a bit of a pain, but there are examples available on the net. The synergy program allows me to move the mouse to the right of my main screen to the second computer's screen. The keyboard input goes to which ever computer's screen the mouse pointer is on. The clipboard
is shared, so I can copy/paste text and pictures between the two computers.

Regards, Dave Hodgins

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Spiros Bousbouras <spibou@gmail.com> wrote:

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

For this reason on my home LAN, which I know nobody is snooping
on, I avoid SSH wherever possible and use Telnet instead (usually
the GNU Inetutils implementation). The DISPLAY environment variable
is automatically set to the hostname of the computer that you've
connected from, so if this is associated with the correct IP
address in /etc/hosts (or the DNS server on your LAN if present and configurable), you can just start X programs normally and they'll
display on the computer that you're working from so long as its X
server has TCP enabled (the latest versions of Xorg must be started
with the "-listen tcp" command line parameter to enable this, eg.
in ~/.xserverrc).

1. Which packages need to be installed on the computers ?

inetutils-telnet, inetutils-telnetd, and inetutils-inetd. Set up /etc/inetd.conf with a line like:

telnet stream tcp nowait root /usr/sbin/telnetd telnetd

and start inetd at boot.

2. What should I enter into which configuration files for A to
only accept connections from B ?

With Telnet I think this would need to be done in firewall settings
on the computers or a router.

3. Can it be done safely without having to enter a password on
B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because
"safely" probably means that you don't want plain-text passwords
and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

If you want this, then you'll have to give up on the old Debian
version either now or sometime later. If you're willing to compile
newer versions of OpenSSH yourself then you might be able to delay
this for many years though. Other options are setting up a
physically secure network connection from the old Debian system to
a newer computer, using SSH to connect to the newer system, which
runs a script that connects to the older system via Telnet. The
"newer computer" might even be a virtual machine running on the old
system with the emulated network interface in Bridge mode so that
it appears as a unique IP on your LAN.

But life is much easier if you can trust that nobody is snooping on
your LAN in the first place.

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 11 Jun 2023 16:16:58 -0400, David W. Hodgins wrote:

On Sun, 11 Jun 2023 06:11:48 -0400, Spiros Bousbouras <spibou@gmail.com> wrote:

[I wasn't sure whether this is more suited to comp.os.linux.misc
or comp.os.linux.networking ]

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach and
my questions are:

For computers accessed over the internet, I use ssh with X forwarding, and within my lan where I want the program running on one computer with the gui displayed on another.

You could also use VNC or RDP. But I suppose SSH has the least overhead,
thus is fastest.

For sharing files within my lan, I use sshfs.

You can also transparently (net-) mount the file system from another
computer. Looks like a part of the local file system then.
--
Andreas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 11 Jun 2023 13:34:51 +0200, Carlos E.R. wrote:

On 2023-06-11 12:47, The Natural Philosopher wrote:

I am not up to day on X fowarding, so I will pass on that. I believe
that too can pass over ssh.

Yes.

You do:

ssh -X username@192.168.2.18

And add an app. Like

ssh -X username@192.168.2.18 firefox

On the other side X must be allowed. Suppose that's default though.
--
Andreas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-11, Computer Nerd Kev wrote:
Spiros Bousbouras <spibou@gmail.com> wrote:

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

"Deprecated," but so far as I can tell, not "unsupported."
For details, refer to the Cipher and HostKeyAlgorithms options
description in ssh_config(5) and sshd_config(5).

Granted, there /are/ interoperability issues between different
SSH implementations IME, but frankly, I don't recall any between
different ('stable') OpenSSH versions.

More specifically, it looks like exactly one cipher is no longer
supported by OpenSSH as of Bookworm that was available in Buster:

BOOKWORM$ wdiff -- <(ssh -n -- BUSTER ssh -Q cipher | LC_ALL=C sort -st-) \
<(ssh -Q cipher | LC_ALL=C sort -st-)
3des-cbc
aes128-cbc
aes128-ctr
aes128-gcm@openssh.com
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
[-rijndael-cbc@lysator.liu.se-]

(And I'd venture to guess it was deprecated long before it got
removed.)

For the SSH key types, the lists of supported ones are identical:

BOOKWORM$ cmp -- <(ssh -n -- BUSTER ssh -Q HostKeyAlgorithms | sort -st-) \
<(ssh -Q HostKeyAlgorithms | sort -st-)
BOOKWORM$

--
FSF associate member #7257 http://am-1.org/~ivan/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

O 12/06/23 ás 04:10, Andreas Kohlbach escribiu:

On Sun, 11 Jun 2023 13:34:51 +0200, Carlos E.R. wrote:

On 2023-06-11 12:47, The Natural Philosopher wrote:

I am not up to day on X fowarding, so I will pass on that. I believe
that too can pass over ssh.

Yes.

You do:

ssh -X username@192.168.2.18

And add an app. Like

ssh -X username@192.168.2.18 firefox

On the other side X must be allowed. Suppose that's default though.

You can even run an entire DE through SSH.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Ivan Shmakov <ivan@siamics.netnospam.invalid> wrote:

On 2023-06-11, Computer Nerd Kev wrote:
Spiros Bousbouras <spibou@gmail.com> wrote:

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

"Deprecated," but so far as I can tell, not "unsupported."
For details, refer to the Cipher and HostKeyAlgorithms options
description in ssh_config(5) and sshd_config(5).

Yes I answered the question in a generic sense assuming computer B
could be running _any_ older version of Debian because the version
wasn't specified. I'm posting from Debian version 3 right now, so
that makes sense to me, but it did occour to me afterwards that the
OP may have meant an old but still supported Debian version.

The IETF recommends not implementing some old key exchange
algorithms for SSH: https://datatracker.ietf.org/doc/id/draft-ietf-curdle-ssh-kex-sha2-13.html

But indeed up to a point you can enable many depreciated options
with the "ciphers" and "KexAlgorithms" settings in
/etc/ssh/sshd_config on "computer A".

But if you can just use Telnet happily on a secure LAN, then this
is all lots of unnecessary work (especially because SSH isn't very
helpful with its error messages, and old versions don't support the
-Q option).

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-12 04:10, Andreas Kohlbach wrote:

On Sun, 11 Jun 2023 13:34:51 +0200, Carlos E.R. wrote:

On 2023-06-11 12:47, The Natural Philosopher wrote:

I am not up to day on X fowarding, so I will pass on that. I believe
that too can pass over ssh.

Yes.

You do:

ssh -X username@192.168.2.18

And add an app. Like

ssh -X username@192.168.2.18 firefox

That can be done later, typing on the terminal, if you want.

Notice, though, that firefox is "different" in this respect.

On the other side X must be allowed. Suppose that's default though.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-11, David W. Hodgins wrote:

On Sun, 11 Jun 2023 06:11:48 -0400, Spiros Bousbouras <spibou@gmail.com> wrote:

[I wasn't sure whether this is more suited to comp.os.linux.misc
or comp.os.linux.networking ]

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

[...]

I also use synergy. I log in on both computers and start synergy on both.
The server is the one which has the keyboard/mouse I prefer connected,
the other is the client. Both computers must be running the same version
of synergy.

Note the program synergy-gui which can be used to create config files is payware, but it's not needed as the config files can be created manually.
The actual synergy server/client programs are open source.

Creating the config file manually is a bit of a pain, but there are examples available on the net. The synergy program allows me to move the mouse to the right of my main screen to the second computer's screen. The keyboard input goes to which ever computer's screen the mouse pointer is on. The clipboard is shared, so I can copy/paste text and pictures between the two computers.

Regards, Dave Hodgins

Just make sure your keyboard layout is compatible with synergy, at least
the version I used many years ago would convert key to glyph and then
glyph to key, which resulted in the wrong key press possibly being
"executed" if there was more than one way to produce the same glyph
(IIRC this affected "|" in the Finnish layout).

After that, I think I moved to x2x, as I was using synergy between two
machines running X11.

--
Nuno Silva

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/06/2023 00:38, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

"deprecated"

Like telnet is

--
“Puritanism: The haunting fear that someone, somewhere, may be happy.”

H.L. Mencken, A Mencken Chrestomathy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.windows.x

On 2023-06-12, Andreas Kohlbach wrote:
On Sun, 11 Jun 2023 16:16:58 -0400, David W. Hodgins wrote:

[Cross-posting to news:comp.windows.x.]

For computers accessed over the internet, I use ssh with X
forwarding, and within my lan where I want the program running
on one computer with the gui displayed on another.

You could also use VNC or RDP. But I suppose SSH has the least
overhead, thus is fastest.

I think it conflates 'transport' and 'application' protocols.

As is pointed elsewhere in this thread, you can use X over
TCP, which will have even less overhead than X over SSH.

OTOH, it's certainly possible to use VNC over SSH (whether
via port forwarding, or as described in Debian Bug#1018240,
though there're some fixes pending to the recipe), which
will have more overhead than VNC over (unencrypted) TCP,
yet possibly /less/ than X over SSH.

http://bugs.debian.org/1018240

Now, I don't have any measurements to back this claim, but
note that while /classic/ X software sends short commands
to the X server (draw a line here, render a string there),
/modern/ software mostly just pushes pre-rendered pixmaps
to the server. There, VNC protocol may have an advantage,
as it's pretty much dedicated to shoving image data around,
and does not support requests such as drawing polygons on
the server, which modern software won't use anyway.

To summarize, if you mostly want to use classic, libXt- or
libX11- based software, like, say, xedit, vtwm, xterm (though
note that at least xterm /can/ be configured to render text
on the client), use X over SSH. (Unless SSH overhead becomes
critical /and/ the communication is secured in some other manner.)

If you mostly want to use modern software (Darktable, Chromium,
Libreoffice, Merkaartor, that sort of thing) it's worth trying
VNC, which may happen to have less overhead in this case.

PS. Reading http://bugs.debian.org/947713 recently made me wonder,
yet again, if opting for a modern GUI toolkit for your
software is a perfectly valid choice, provided you're willing
to rewrite it from scratch every decade or so. (Conversely,
I don't suppose libXaw API has had major incompatible changes
since at least early 1990s?)

--
FSF associate member #7257 http://am-1.org/~ivan/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Thanks for all the replies everyone. That's a lot to read on.

Assuming I go the SSH route , I would need to make sure that the SSH daemon runs on computer A. Does installing the correct package (it seems to be openssh-server) make sure that the server gets started on boot or do I also need to edit something in the start-up scripts ?

On 12 Jun 2023 09:38:19 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

Debian 5. If there is no incompatibility issue now then one won't arise if I don't upgrade the newer system. Whether I want to upgrade the older one
depends on how smoothly I can make things work with doing certain tasks on computer A. Details on what "certain tasks" means would be too much of a digression and in fact I don't even have a complete list myself.

For this reason on my home LAN, which I know nobody is snooping
on, I avoid SSH wherever possible and use Telnet instead (usually
the GNU Inetutils implementation).

[ Snip useful information. ]

2. What should I enter into which configuration files for A to
only accept connections from B ?

With Telnet I think this would need to be done in firewall settings
on the computers or a router.

3. Can it be done safely without having to enter a password on
B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because
"safely" probably means that you don't want plain-text passwords
and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think
I'm missing your point.

If you want this, then you'll have to give up on the old Debian
version either now or sometime later. If you're willing to compile
newer versions of OpenSSH yourself then you might be able to delay
this for many years though. Other options are setting up a
physically secure network connection from the old Debian system to
a newer computer, using SSH to connect to the newer system, which
runs a script that connects to the older system via Telnet. The
"newer computer" might even be a virtual machine running on the old
system with the emulated network interface in Bridge mode so that
it appears as a unique IP on your LAN.

But life is much easier if you can trust that nobody is snooping on
your LAN in the first place.

Ok , lets focus on whether I have a physically secure network connection
and whether anyone can snoop on my LAN. I'm not sure which are the
relevant factors but I will give some information which hopefully is
relevant. Noone but me has physical access to the 2 computers or the
router. The wireless signal on the router is turned off most of the time
but I turn it on occasionally. I believe the password for wireless
connection to be secure. I seed some torrents from computer B so the
router accepts connections for those. As I've said , computers A and B
would be connected through cable to the router. With that in mind ,
could an attacker connect to the router and intercept communications
between A and B ? Is the attack surface greater with wireless signal on ?

To return to what you say above :

With Telnet I think this would need to be done in firewall settings
on the computers or a router.

Perhaps I'm asking a very naive question but why is it not enough to
enter into some configuration file (whether one for telnet or SSH or whatever) something which tells the relevant server "Only accept
connections coming from a computer which is physically connected to the
router through a cable" ? Can the router itself be tricked in that
regard ? Is there no standard way for the router to pass the information
to the computer accepting connections ? Is the point to defend from bugs
in the router software ?

--
vlaho.ninja/prog

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/06/2023 15:51, Spiros Bousbouras wrote:

Thanks for all the replies everyone. That's a lot to read on.

Assuming I go the SSH route , I would need to make sure that the SSH daemon runs on computer A. Does installing the correct package (it seems to be openssh-server) make sure that the server gets started on boot or do I also need to edit something in the start-up scripts ?

Unlesds yuou have a very weird package, itr will assume you want it to
start and stat every time the machine is booted

But life is much easier if you can trust that nobody is snooping on
your LAN in the first place.

Ok , lets focus on whether I have a physically secure network connection
and whether anyone can snoop on my LAN. I'm not sure which are the
relevant factors but I will give some information which hopefully is relevant. Noone but me has physical access to the 2 computers or the
router. The wireless signal on the router is turned off most of the time
but I turn it on occasionally. I believe the password for wireless
connection to be secure. I seed some torrents from computer B so the
router accepts connections for those. As I've said , computers A and B
would be connected through cable to the router. With that in mind ,
could an attacker connect to the router and intercept communications
between A and B ? Is the attack surface greater with wireless signal on ?

In theory anything is possible, In practice no.
Far easier to break into your home and installl some malware on your
computers.

To return to what you say above :

With Telnet I think this would need to be done in firewall settings
on the computers or a router.

Perhaps I'm asking a very naive question but why is it not enough to
enter into some configuration file (whether one for telnet or SSH or whatever) something which tells the relevant server "Only accept
connections coming from a computer which is physically connected to the router through a cable" ? Can the router itself be tricked in that
regard ? Is there no standard way for the router to pass the information
to the computer accepting connections ? Is the point to defend from bugs
in the router software ?

In theory, no. In practice yes, as you can use the router to control the
IP address of the computers and use that as a proxy for how they are wired.

--
There is nothing a fleet of dispatchable nuclear power plants cannot do
that cannot be done worse and more expensively and with higher carbon
emissions and more adverse environmental impact by adding intermittent renewable energy.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Spiros Bousbouras <spibou@gmail.com> wrote:

Perhaps I'm asking a very naive question but why is it not enough to
enter into some configuration file (whether one for telnet or SSH or whatever) something which tells the relevant server "Only accept
connections coming from a computer which is physically connected to
the router through a cable" ?

This is typically done by setting up a firewall rule. For your stated
"rule" above, and assuming by 'router' you actually mean one of those
boxes that is both a router and a 4-port ethernet switch combination
box, you would add a rule to the machine's firewall to only accept
packets with a source IP of the local LAN. Which is most likely a
/24, so X.Y.Z.??? where X.Y.Z are the first three octets of your LAN's
IP address range, and ??? is anything.

The exact way to formulate and install such a rule requires more
specifics than we are cognizant of over USENET.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-12 16:51, Spiros Bousbouras wrote:

Thanks for all the replies everyone. That's a lot to read on.

Assuming I go the SSH route , I would need to make sure that the SSH daemon runs on computer A. Does installing the correct package (it seems to be openssh-server) make sure that the server gets started on boot or do I also need to edit something in the start-up scripts ?

That's up to the distribution. For example, on openSUSE, no. I don't
know about Debian.

...

But life is much easier if you can trust that nobody is snooping on
your LAN in the first place.

Ok , lets focus on whether I have a physically secure network connection
and whether anyone can snoop on my LAN. I'm not sure which are the
relevant factors but I will give some information which hopefully is relevant. Noone but me has physical access to the 2 computers or the
router. The wireless signal on the router is turned off most of the time
but I turn it on occasionally. I believe the password for wireless
connection to be secure. I seed some torrents from computer B so the
router accepts connections for those. As I've said , computers A and B
would be connected through cable to the router. With that in mind ,
could an attacker connect to the router and intercept communications
between A and B ? Is the attack surface greater with wireless signal on ?

Using ssh and passwords, no, and no.

To return to what you say above :

With Telnet I think this would need to be done in firewall settings
on the computers or a router.

Perhaps I'm asking a very naive question but why is it not enough to
enter into some configuration file (whether one for telnet or SSH or whatever) something which tells the relevant server "Only accept
connections coming from a computer which is physically connected to the router through a cable" ? Can the router itself be tricked in that
regard ? Is there no standard way for the router to pass the information
to the computer accepting connections ? Is the point to defend from bugs
in the router software ?

And how would it know?

You can limit connections to the IP range given by your router, but an
intruder might fake that.

There is no direct way to know if a connection comes from the WiFi. You
might tell the router to assign different IP numbers, but again, there
is no warranty.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

Assuming I go the SSH route , I would need to make sure that the SSH daemon runs on computer A. Does installing the correct package (it seems to be openssh-server) make sure that the server gets started on boot or do I also need to edit something in the start-up scripts ?

I think so. Check with "/etc/init.d/sshd status" to see if it's
running after a reboot.

On 12 Jun 2023 09:38:19 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

Debian 5. If there is no incompatibility issue now then one won't arise if I don't upgrade the newer system.

Sure.

3. Can it be done safely without having to enter a password on
B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because
"safely" probably means that you don't want plain-text passwords
and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think
I'm missing your point.

Yeah, any secure passwordless authentication system has the same
issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A
over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're
likely to experience in many cases though.

If you want this, then you'll have to give up on the old Debian
version either now or sometime later. If you're willing to compile
newer versions of OpenSSH yourself then you might be able to delay
this for many years though. Other options are setting up a
physically secure network connection from the old Debian system to
a newer computer, using SSH to connect to the newer system, which
runs a script that connects to the older system via Telnet. The
"newer computer" might even be a virtual machine running on the old
system with the emulated network interface in Bridge mode so that
it appears as a unique IP on your LAN.

But life is much easier if you can trust that nobody is snooping on
your LAN in the first place.

Ok , lets focus on whether I have a physically secure network connection
and whether anyone can snoop on my LAN. I'm not sure which are the
relevant factors but I will give some information which hopefully is relevant. Noone but me has physical access to the 2 computers or the
router. The wireless signal on the router is turned off most of the time
but I turn it on occasionally. I believe the password for wireless
connection to be secure. I seed some torrents from computer B so the
router accepts connections for those. As I've said , computers A and B
would be connected through cable to the router. With that in mind ,
could an attacker connect to the router and intercept communications
between A and B ?

Not unless they've found an exploit that allows them to control the
router, in which case you potentially have a lot of other problems
too.

Is the attack surface greater with wireless signal on ?

Yes but if you believe that the wireless is secure then it's not an
issue. Unless you're using an old encryption method for the
wireless network.

To return to what you say above :

With Telnet I think this would need to be done in firewall settings
on the computers or a router.

Perhaps I'm asking a very naive question but why is it not enough to
enter into some configuration file (whether one for telnet or SSH or whatever) something which tells the relevant server "Only accept
connections coming from a computer which is physically connected to the router through a cable" ?

You can, but it's your firewall's configuration that you need to
edit on the computer running the SSH server (or the router, as some
have suggested, but many cheap routers don't come with firewall
software). What/how you edit depends on the firewall you're
running. If you're not running one, then pick one and this should
be a basic thing described in its documentation.

Can the router itself be tricked in that regard ?

Only if people can get onto your LAN. In which case odds are
they'll be more interested in stealing access to your internet
connection than hacking into your old Debian machine anyway.

Is there no standard way for the router to pass the information
to the computer accepting connections ? Is the point to defend
from bugs in the router software ?

The firewall suggestion protects against potential devices on your
network that are already infected by some sort of malware. If the
router is infected then it won't help.

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 12/06/2023 00:38, Computer Nerd Kev wrote:

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

"deprecated"

Like telnet is

No it isn't. Debian even has multiple implementations to choose
from as packages, and there's no indication that they're all going
to go away any time soon.

Using it over the internet certainly isn't recommended anymore, but
that's not what was being discussed.

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 12 Jun 2023 10:53:44 +0200, Carlos E.R. wrote:

On 2023-06-12 04:10, Andreas Kohlbach wrote:

On Sun, 11 Jun 2023 13:34:51 +0200, Carlos E.R. wrote:

On 2023-06-11 12:47, The Natural Philosopher wrote:

I am not up to day on X fowarding, so I will pass on that. I believe
that too can pass over ssh.

Yes.

You do:

ssh -X username@192.168.2.18

And add an app. Like
ssh -X username@192.168.2.18 firefox

That can be done later, typing on the terminal, if you want.

Notice, though, that firefox is "different" in this respect.

ssh -X 192.168.2.18

without an app should just drop you on a shell.

Suppose you could give an argument like "mate-session" to get into the
MATE GUI.
--
Andreas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.windows.x

Ivan Shmakov <ivan@siamics.netNOSPAM.invalid> writes:

Now, I don't have any measurements to back this claim, but
note that while /classic/ X software sends short commands
to the X server (draw a line here, render a string there),
/modern/ software mostly just pushes pre-rendered pixmaps

This is untrue. The GTK toolkit uses Cairo, which utilizes the X
rendering extension to composite trapezoids, glyphs and pictures.
Little if any rendering is done by the client itself.

to the server. There, VNC protocol may have an advantage,
as it's pretty much dedicated to shoving image data around,
and does not support requests such as drawing polygons on
the server, which modern software won't use anyway.

Only if you're using software that uses direct GL rendering. Most
software (both Qt and GTK+) makes ample use of the X rendering
extension.

If you mostly want to use modern software (Darktable, Chromium,
Libreoffice, Merkaartor, that sort of thing) it's worth trying
VNC, which may happen to have less overhead in this case.

I don't know what Merkaartor is, but both Darktable (Qt) and Libreoffice
will use the X rendering extension.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

not@telling.you.invalid (Computer Nerd Kev) writes:

Spiros Bousbouras <spibou@gmail.com> wrote:

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older version
of Debian. I want to connect from B to A and execute shell commands
on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach

Without knowing how old your old version of Debian is and how long you
intend to keep using it without upgrading, my recommendation would be
to not use SSH because either now or later it will be unable to
connect with the newer Devuan system because all the supported
authentication or encryption systems will be depreciated in the newer software.

Deprecated (sic) doesn’t mean disabled.

Eventually older ciphers do get disabled, for good reason. The sensible
thing to do at that point is upgrade the older endpoints, rather than
falling back to telnet.

--
https://www.greenend.org.uk/rjk/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/06/2023 23:19, Computer Nerd Kev wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 12/06/2023 00:38, Computer Nerd Kev wrote:

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

"deprecated"

Like telnet is

No it isn't. Debian even has multiple implementations to choose
from as packages, and there's no indication that they're all going
to go away any time soon.

See Mr Kettlewell's observation. Deprecated doesn't mean obsolete, or
even obsolescent, it means simply 'no longer recommended'. Like cross
ply tyres.

You can still buy them, but radials are better.

Using it over the internet certainly isn't recommended anymore, but
that's not what was being discussed.

It was, the moment you said 'depreciated' when you meant 'deprecated'.
I used to run telnet on my internal network, but its no longer installed
by default and given today's CPU power ssh completely replaces its functionality, and in fact adds more, like sshfs etc etc. As well as man
in the middle attack reduction. Although given no one uses coaxial
ethernet on campus networks, that's pretty much a non staerter on a
local network, unless its using wifi.




--
"In our post-modern world, climate science is not powerful because it is
true: it is true because it is powerful."

Lucas Bergkamp

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 13/06/2023 12:31, Computer Nerd Kev wrote:

Richard Kettlewell <invalid@invalid.invalid> wrote:

Eventually older ciphers do get disabled, for good reason. The sensible
thing to do at that point is upgrade the older endpoints, rather than
falling back to telnet.

It's two computers on his home network connected via Ethernet, why
use SSH in the first place? Forget falling back to Telnet, I'd
start with it and not have to worry about ciphers in the first
place.

For one simple reason. Its no longer a default option. Nearly all the
distros in the last few years I have come across will have ssh by
default, but not telnet.
Not being a default means its less well documented, and marginally
harder to get working, and still requires a login password which ssh
does not.

IIRC the totally insecure passwordless option was 'rsh' ...if that's
what you want, but its the first time I typed that in two decades


--
“People believe certain stories because everyone important tells them,
and people tell those stories because everyone important believes them.
Indeed, when a conventional wisdom is at its fullest strength, one’s agreement with that conventional wisdom becomes almost a litmus test of
one’s suitability to be taken seriously.”

Paul Krugman

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Richard Kettlewell <invalid@invalid.invalid> wrote:

Eventually older ciphers do get disabled, for good reason. The sensible
thing to do at that point is upgrade the older endpoints, rather than
falling back to telnet.

It's two computers on his home network connected via Ethernet, why
use SSH in the first place? Forget falling back to Telnet, I'd
start with it and not have to worry about ciphers in the first
place.

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Computer Nerd Kev <not@telling.you.invalid> wrote:

Richard Kettlewell <invalid@invalid.invalid> wrote:

Eventually older ciphers do get disabled, for good reason. The sensible
thing to do at that point is upgrade the older endpoints, rather than
falling back to telnet.

It's two computers on his home network connected via Ethernet, why
use SSH in the first place?

Because:

1) In 2023, most Linux installs will have ssh installed (and often
listening for connections).

2) Using ssh public keys, it is trivial to setup passwordless login
between the local lan connected machines (I do not believe telnet ever
allowed "passwordless login", that would have been rsh, which ssh
replaced long ago).

3) Using ssh provides for port forwarding between the machines (in case
one wants to do that).

4) Ssh provides scp and sftp for quick "file transfers" between the
computers.

5) Ssh provides the -X and -Y "remote X" transport, which should
automatically setup for running X apps remotely (i.e. he does not have
to understand how to setup DISPLAY manually nor how to allow access
locally (xhost))

6) Ssh access allows for using sshfs to "network file system" access
the other machine(s) disks, without having to setup NFS proper (much
more effort to setup than sshfs). This goes well beyond "scp and sftp"
file transfers.

In my opinion, #2 is a significant enough of a benefit (no need to
enter a password for each remote access) that years ago when ssh first
appeared (and long before there was ever an "OpenSSH") I setup ssh
among all my local lan machines and dropped telnet use entirely for
remote access. And not because I 'needed' secure connections over my
local lan (I did not, and back then the encryption load was a
significant CPU hit) but because the convience factor of not needing to
type in passwords was so huge.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 12/06/2023 23:19, Computer Nerd Kev wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 12/06/2023 00:38, Computer Nerd Kev wrote:

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

"deprecated"

Like telnet is

No it isn't. Debian even has multiple implementations to choose
from as packages, and there's no indication that they're all going
to go away any time soon.

See Mr Kettlewell's observation. Deprecated doesn't mean obsolete, or
even obsolescent, it means simply 'no longer recommended'. Like cross
ply tyres.

You can still buy them, but radials are better.

Actually I linked to an example earlier in this thread.

The IETF recommends not implementing some old key exchange
algorithms for SSH: https://datatracker.ietf.org/doc/id/draft-ietf-curdle-ssh-kex-sha2-13.html

"The purpose of this RFC is to recommend that some published key
exchanges be deprecated as well as recommending some that SHOULD
and one that MUST be adopted."
[snip]
"The diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1,
gss-gex-sha1-*, and gss-group1-sha1-* key exchanges SHOULD NOT be
implemented."

Using it over the internet certainly isn't recommended anymore, but
that's not what was being discussed.

It was, the moment you said 'depreciated' when you meant 'deprecated'.

Yes may never one of my frequent word mix-ups get past the vigilant
readers of the comp.* groups.

I used to run telnet on my internal network, but its no longer installed
by default and given today's CPU power ssh completely replaces its functionality, and in fact adds more, like sshfs etc etc.

It's still easier for interoperability with old systems such as the
Debian 5 one that the OP wants to use. There's just lots more to go
wrong with SSH.

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 13/06/2023 14:08, Computer Nerd Kev wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 12/06/2023 23:19, Computer Nerd Kev wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 12/06/2023 00:38, Computer Nerd Kev wrote:

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

"deprecated"

Like telnet is

No it isn't. Debian even has multiple implementations to choose
from as packages, and there's no indication that they're all going
to go away any time soon.

See Mr Kettlewell's observation. Deprecated doesn't mean obsolete, or
even obsolescent, it means simply 'no longer recommended'. Like cross
ply tyres.

You can still buy them, but radials are better.

Actually I linked to an example earlier in this thread.

The IETF recommends not implementing some old key exchange
algorithms for SSH: https://datatracker.ietf.org/doc/id/draft-ietf-curdle-ssh-kex-sha2-13.html

"The purpose of this RFC is to recommend that some published key
exchanges be deprecated as well as recommending some that SHOULD
and one that MUST be adopted."
[snip]
"The diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1,
gss-gex-sha1-*, and gss-group1-sha1-* key exchanges SHOULD NOT be
implemented."

Using it over the internet certainly isn't recommended anymore, but
that's not what was being discussed.

It was, the moment you said 'depreciated' when you meant 'deprecated'.

Yes may never one of my frequent word mix-ups get past the vigilant
readers of the comp.* groups.

I used to run telnet on my internal network, but its no longer installed
by default and given today's CPU power ssh completely replaces its
functionality, and in fact adds more, like sshfs etc etc.

It's still easier for interoperability with old systems such as the
Debian 5 one that the OP wants to use. There's just lots more to go
wrong with SSH.

Ive not ever had anything go wrong with it, once set up.

--
The lifetime of any political organisation is about three years before
its been subverted by the people it tried to warn you about.

Anon.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 13 Jun 2023 07:31:39 -0400, Computer Nerd Kev <not@telling.you.invalid> wrote:

Richard Kettlewell <invalid@invalid.invalid> wrote:

Eventually older ciphers do get disabled, for good reason. The sensible
thing to do at that point is upgrade the older endpoints, rather than
falling back to telnet.

It's two computers on his home network connected via Ethernet, why
use SSH in the first place? Forget falling back to Telnet, I'd
start with it and not have to worry about ciphers in the first
place.

It's one layer of security. If one user gets hacked the other users
on that computer are slightly more protected and the systems they can
access are also more protected.

Reasonably good security practices include having many levels of security
so that one level or user getting hacked doesn't result in full lan access.

Regards, Dave Hodgins

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on
B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because
"safely" probably means that you don't want plain-text passwords
and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think
I'm missing your point.

Yeah, any secure passwordless authentication system has the same
issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A
over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're
likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in many
aspects. Anyone with access to the LAN can see anything inside the
telnet session.

There is a user/password prompt, asked by the "other" computer.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-13 03:51, Andreas Kohlbach wrote:

On Mon, 12 Jun 2023 10:53:44 +0200, Carlos E.R. wrote:

On 2023-06-12 04:10, Andreas Kohlbach wrote:

On Sun, 11 Jun 2023 13:34:51 +0200, Carlos E.R. wrote:

On 2023-06-11 12:47, The Natural Philosopher wrote:

I am not up to day on X fowarding, so I will pass on that. I believe >>>>> that too can pass over ssh.

Yes.

You do:

ssh -X username@192.168.2.18

And add an app. Like
ssh -X username@192.168.2.18 firefox

That can be done later, typing on the terminal, if you want.

Notice, though, that firefox is "different" in this respect.

ssh -X 192.168.2.18

without an app should just drop you on a shell.

And once there you can type "firefox &" and get firefox, or anything else.

Suppose you could give an argument like "mate-session" to get into the
MATE GUI.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on
B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because
"safely" probably means that you don't want plain-text passwords
and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think
I'm missing your point.

Yeah, any secure passwordless authentication system has the same
issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A
over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're
likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in many aspects. Anyone with access to the LAN can see anything inside the
telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

There is a user/password prompt, asked by the "other" computer.

--
“The ultimate result of shielding men from the effects of folly is to
fill the world with fools.”

Herbert Spencer

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 13/06/2023 14:08, Computer Nerd Kev wrote:

It's still easier for interoperability with old systems such as the
Debian 5 one that the OP wants to use. There's just lots more to go
wrong with SSH.

Ive not ever had anything go wrong with it, once set up.

That's lucky for you.

No matching ciphers. No matching key algorithums. Changed host keys
causing automated tasks to fail (yes there's an option to disable
host key checking burried in the clumbsy OpenSSH docs, but one has
to think of it). SCP command failing because SCP has been disabled
for security reasons and the Dropbear client in use doesn't have
SFTP support.

I know there are good answers to all those, and I've already
followed them myself. But if it's just for connecting two computers
together via Ethernet at home, then why should one have to fix
these things when they're protecting against attacks that aren't
going to happen in that circumstance?

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Rich <rich@example.invalid> wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

It's two computers on his home network connected via Ethernet, why
use SSH in the first place?

Because:

1) In 2023, most Linux installs will have ssh installed (and often
listening for connections).

2) Using ssh public keys, it is trivial to setup passwordless login
between the local lan connected machines (I do not believe telnet ever allowed "passwordless login", that would have been rsh, which ssh
replaced long ago).

3) Using ssh provides for port forwarding between the machines (in case
one wants to do that).

4) Ssh provides scp and sftp for quick "file transfers" between the computers.

5) Ssh provides the -X and -Y "remote X" transport, which should automatically setup for running X apps remotely (i.e. he does not have
to understand how to setup DISPLAY manually nor how to allow access
locally (xhost))

6) Ssh access allows for using sshfs to "network file system" access
the other machine(s) disks, without having to setup NFS proper (much
more effort to setup than sshfs). This goes well beyond "scp and sftp"
file transfers.

Yes I know that there's an SSH and a non-SSH way to do everything
(ftpfs more than NFS for the last one). The SSH ways are much
appreciated over the internet but on a secure network they're just
a long list of extra things to go wrong. I guess the value that you
assign to that is a matter of personal opinion.

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Tue, 13 Jun 2023 07:31:39 -0400, Computer Nerd Kev <not@telling.you.invalid> wrote:

Richard Kettlewell <invalid@invalid.invalid> wrote:

Eventually older ciphers do get disabled, for good reason. The sensible
thing to do at that point is upgrade the older endpoints, rather than
falling back to telnet.

It's two computers on his home network connected via Ethernet, why
use SSH in the first place? Forget falling back to Telnet, I'd
start with it and not have to worry about ciphers in the first
place.

It's one layer of security. If one user gets hacked the other users
on that computer are slightly more protected and the systems they can
access are also more protected.

Reasonably good security practices include having many levels of security
so that one level or user getting hacked doesn't result in full lan access.

That logic is general enough that it can be taken as far as you
want it to go. For two computers on a home network connected via
Ethernet I think the extra risk of using Telnet vs SSH is marginal
at best.

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Computer Nerd Kev <not@telling.you.invalid> wrote:

No matching ciphers. No matching key algorithums.

^^^^^^^^^^^
"algorithms", before you jump on it.

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 13 Jun 2023 22:30:16 +0200, Carlos E.R. wrote:

On 2023-06-13 03:51, Andreas Kohlbach wrote:

On Mon, 12 Jun 2023 10:53:44 +0200, Carlos E.R. wrote:

On 2023-06-12 04:10, Andreas Kohlbach wrote:

And add an app. Like
ssh -X username@192.168.2.18 firefox

That can be done later, typing on the terminal, if you want.

Notice, though, that firefox is "different" in this respect.

ssh -X 192.168.2.18
without an app should just drop you on a shell.

And once there you can type "firefox &" and get firefox, or anything else.

Ah! Didn't knew that. Although it's obvious.
--
Andreas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on
B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because
"safely" probably means that you don't want plain-text passwords
and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think
I'm missing your point.

Yeah, any secure passwordless authentication system has the same
issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A
over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're
likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in many
aspects. Anyone with access to the LAN can see anything inside the
telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

Mostly correct ... but you can still poll addresses
looking for Telnet activity and then go from there.
Switches don't/can't hide EVERYTHING ... there are
numerous utilities that can still see a LOT going
on in the local network. Try WireShark ...

Telnet is of the same generation as POP - a kinder
and gentler era where 'security'/encryption was
not considered a big deal (we're all pals here,
right ?). It's BEST not to use Telnet - indeed
block its port in your router.

Did have some fun lately though using Telnet to
log into a mail server, you can select an alt port.
Had to type weird stuff into prompts - but you COULD
connect/receive/send.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-12, Computer Nerd Kev wrote:
Ivan Shmakov <ivan@siamics.netnospam.invalid> wrote:
On 2023-06-11, Computer Nerd Kev wrote:

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

"Deprecated," but so far as I can tell, not "unsupported."
For details, refer to the Cipher and HostKeyAlgorithms options
description in ssh_config(5) and sshd_config(5).

Yes I answered the question in a generic sense assuming computer B
could be running _any_ older version of Debian because the version
wasn't specified.

I'd think that 'any /supported/ version' (which, I gather,
means 'Buster or newer' currently) would be a safer assumption
generally.

I'm quite surprised to learn that OP intends to use Debian 5.

I'm posting from Debian version 3 right now, so that makes sense
to me, but it did occur to me afterwards that the OP may have
meant an old but still supported Debian version.

While I'm no stranger to running unmaintained software (or
versions thereof) myself, I'm curious what could be the reason
to run a no longer supported version of Debian specifically?
(With i686 in User-Agent:, I'd venture to guess it's not a
matter of having hardware no longer supported by Debian?)

The IETF recommends not implementing some old key exchange
algorithms for SSH:

https://datatracker.ietf.org/doc/id/draft-ietf-curdle-ssh-kex-sha2-13.html

To quote:

This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is
at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."

This Internet-Draft will expire on 18 July 2021.

The document that contains actual IETF recommendations on the
matter would be RFC 9142, http://rfc-editor.org/rfc/rfc9142.txt .

... And my opinion is that while IETF may withdraw its past
recommendation of one feature or another, recommending against
/implementation/ of any previously documented feature would
be 'overstepping its authority,' so to say. In no small part
because it tends to lead to discussions like the present one.

But indeed up to a point you can enable many depreciated options
with the "ciphers" and "KexAlgorithms" settings in
/etc/ssh/sshd_config on "computer A".

But if you can just use Telnet happily on a secure LAN, then this
is all lots of unnecessary work

Not everyone of us can quite 'afford' a secure LAN. Some of
us use 'insecure' computers, be that Windows laptops, Android
TVs, or Wi-Fi-connected smartphones; or have family members
who use those. And while it /might/ be 'physically' possible
to have two LANs, one secure and one not, such a solution
increases maintenance burden.

More to the point is that Telnet is a poor substitute for the
'remote shell' function. I have scripts that will run
ssh -- REMOTE COMMAND for a given REMOTE, and I'd rather not
specialcase 'REMOTE is on secure LAN' vs. 'REMOTE is Internet.'

I have scripts where REMOTE = HOSTNAME is specialcased, though.
There, COMMAND would be passed to sh -c instead.

I use 'remote shell' for running all sorts of commands remotely.
I will $ ssh -- REMOTE tar --lzip -c -- . > REMOTE-backup.tar.lz
one day, and I will $ ssh -- REMOTE mpg123 -q -- - < FILE.mp3
another. (Or, rather, I will run a script that runs $MPG123
with MPG123="ssh -- REMOTE mpg123" set in its environment.)

And of course I use Rsync over SSH extensively, be that for
backups or for pushing new versions of ~/.bashrc et al. from
my primary box to every other *nix home directory I have.

I suppose with some 'necessary work' I can do the things
above with Telnet as well, but I'd think that by that point,
resurrecting RSH would be a more straightforward solution.

(especially because SSH isn't very helpful with its error messages,
and old versions don't support the -Q option).

Well, cannot quite argue with that. If anything, I haven't yet
figured out how to connect to my OpenSSH instances with SSH2DOS.

--
FSF associate member #7257 np. COMMAND.COM by Master Boot Record

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on
B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because
"safely" probably means that you don't want plain-text passwords
and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think
I'm missing your point.

Yeah, any secure passwordless authentication system has the same
issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A
over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're
likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in many
aspects. Anyone with access to the LAN can see anything inside the
telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

  Mostly correct ... but you can still poll addresses
  looking for Telnet activity and then go from there.
  Switches don't/can't hide EVERYTHING ... there are
  numerous utilities that can still see a LOT going
  on in the local network. Try WireShark ...

No, you cant.

BTDTGTTS

You can only see broadcast traffic on other segments.
That might tell you a connection is being made, but once established MAC addresses are used to limit propagation to only the segment where the
target machine resides. Thats what a switch *does*.

  Telnet is of the same generation as POP - a kinder
  and gentler era where 'security'/encryption was
  not considered a big deal (we're all pals here,
  right ?). It's BEST not to use Telnet - indeed
  block its port in your router.

  Did have some fun lately though using Telnet to
  log into a mail server, you can select an alt port.
  Had to type weird stuff into prompts - but you COULD
  connect/receive/send.

Been doing that for years.
And I still use POP to download my mail from my internet based server.
Old school. Only this networks IP address can do that.


--
No Apple devices were knowingly used in the preparation of this post.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14/06/2023 00:21, Computer Nerd Kev wrote:

David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Tue, 13 Jun 2023 07:31:39 -0400, Computer Nerd Kev <not@telling.you.invalid> wrote:

Richard Kettlewell <invalid@invalid.invalid> wrote:

Eventually older ciphers do get disabled, for good reason. The sensible >>>> thing to do at that point is upgrade the older endpoints, rather than
falling back to telnet.

It's two computers on his home network connected via Ethernet, why
use SSH in the first place? Forget falling back to Telnet, I'd
start with it and not have to worry about ciphers in the first
place.

It's one layer of security. If one user gets hacked the other users
on that computer are slightly more protected and the systems they can
access are also more protected.

Reasonably good security practices include having many levels of security
so that one level or user getting hacked doesn't result in full lan access.

That logic is general enough that it can be taken as far as you
want it to go. For two computers on a home network connected via
Ethernet I think the extra risk of using Telnet vs SSH is marginal
at best.

Indeed. As has been stated, the real reason to use ssh is not security,
but utility. Passwordless access, better control over which machine/user
can access, availability of remote shell and file transfer, better
support...

And anyone who cant set up ssh properly probably belongs on an Apple Mac...

--
The biggest threat to humanity comes from socialism, which has utterly
diverted our attention away from what really matters to our existential survival, to indulging in navel gazing and faux moral investigations
into what the world ought to be, whilst we fail utterly to deal with
what it actually is.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-13 15:05, Rich wrote:

Computer Nerd Kev <not@telling.you.invalid> wrote:

Richard Kettlewell <invalid@invalid.invalid> wrote:

Eventually older ciphers do get disabled, for good reason. The sensible
thing to do at that point is upgrade the older endpoints, rather than
falling back to telnet.

It's two computers on his home network connected via Ethernet, why
use SSH in the first place?

Because:

1) In 2023, most Linux installs will have ssh installed (and often
listening for connections).

2) Using ssh public keys, it is trivial to setup passwordless login
between the local lan connected machines (I do not believe telnet ever allowed "passwordless login", that would have been rsh, which ssh
replaced long ago).

3) Using ssh provides for port forwarding between the machines (in case
one wants to do that).

4) Ssh provides scp and sftp for quick "file transfers" between the computers.

5) Ssh provides the -X and -Y "remote X" transport, which should automatically setup for running X apps remotely (i.e. he does not have
to understand how to setup DISPLAY manually nor how to allow access
locally (xhost))

6) Ssh access allows for using sshfs to "network file system" access
the other machine(s) disks, without having to setup NFS proper (much
more effort to setup than sshfs). This goes well beyond "scp and sftp"
file transfers.

In my opinion, #2 is a significant enough of a benefit (no need to
enter a password for each remote access) that years ago when ssh first appeared (and long before there was ever an "OpenSSH") I setup ssh
among all my local lan machines and dropped telnet use entirely for
remote access. And not because I 'needed' secure connections over my
local lan (I did not, and back then the encryption load was a
significant CPU hit) but because the convience factor of not needing to
type in passwords was so huge.

Very much so, yes.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-14 10:23, The Natural Philosopher wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on >>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because >>>>>>> "safely" probably means that you don't want plain-text passwords >>>>>>> and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think >>>>>> I'm missing your point.

Yeah, any secure passwordless authentication system has the same
issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A
over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're
likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in
many aspects. Anyone with access to the LAN can see anything inside
the telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

   Mostly correct ... but you can still poll addresses
   looking for Telnet activity and then go from there.
   Switches don't/can't hide EVERYTHING ... there are
   numerous utilities that can still see a LOT going
   on in the local network. Try WireShark ...

No, you cant.

BTDTGTTS

You can only see broadcast traffic on other segments.
That might tell you a connection is being made, but once established MAC addresses are used to limit propagation to only the segment where the
target machine resides. Thats what a switch *does*.

So?

The switch can put ports in mirror mode, or a rogue switch can be
inserted in the cable. If someone has the intent to look into traffic,
he will.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on >>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because >>>>>>> "safely" probably means that you don't want plain-text passwords >>>>>>> and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think >>>>>> I'm missing your point.

Yeah, any secure passwordless authentication system has the same
issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A
over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're
likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in many
aspects. Anyone with access to the LAN can see anything inside the
telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

  Mostly correct ... but you can still poll addresses
  looking for Telnet activity and then go from there.
  Switches don't/can't hide EVERYTHING ... there are
  numerous utilities that can still see a LOT going
  on in the local network. Try WireShark ...

No, you cant.

BTDTGTTS

You can only see broadcast traffic on other segments.
That might tell you a connection is being made, but once established MAC addresses are used to limit propagation to only the segment where the
target machine resides. Thats what a switch *does*.

That is the normal state. But an active attacker can use a MAC
flooding attack (https://en.wikipedia.org/wiki/MAC_flooding) on the
switch to try to get it to trip into unicast flooding mode, at which
point the switch degrades to a hub (all packets broadcast on all
ports).

This is likely more effective on common 4-port switches for home use
vs. on 'enterprise grade' high end managed switches.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 12 Jun 2023 17:05:50 -0000 (UTC)
Rich <rich@example.invalid> wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Perhaps I'm asking a very naive question but why is it not enough to
enter into some configuration file (whether one for telnet or SSH or whatever) something which tells the relevant server "Only accept connections coming from a computer which is physically connected to
the router through a cable" ?

This is typically done by setting up a firewall rule.

I assume it's possible to set different restrictions for different internet ports , otherwise it seems like a much too crude solution.

For your stated
"rule" above, and assuming by 'router' you actually mean one of those
boxes that is both a router and a 4-port ethernet switch combination
box,

Yes , that's what I mean.

you would add a rule to the machine's firewall to only accept
packets with a source IP of the local LAN. Which is most likely a
/24, so X.Y.Z.??? where X.Y.Z are the first three octets of your LAN's
IP address range, and ??? is anything.

The exact way to formulate and install such a rule requires more
specifics than we are cognizant of over USENET.

Something about your choice of words makes it sound very complicated !

--
vlaho.ninja/prog

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 13 Jun 2023 09:11:14 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

This thread has got a lot more popular than what I expected it to be.

[...]

As I've said , computers A and B
would be connected through cable to the router. With that in mind ,
could an attacker connect to the router and intercept communications between A and B ?

Not unless they've found an exploit that allows them to control the
router, in which case you potentially have a lot of other problems
too.

Is the attack surface greater with wireless signal on ?

Yes but if you believe that the wireless is secure then it's not an
issue. Unless you're using an old encryption method for the
wireless network.

I have taken no explicit steps to address the wireless encryption method
so I assume it is what came as a default with the router. The router
is what I received from my ISP in November 2021 so it should be recent enough.

To return to what you say above :

With Telnet I think this would need to be done in firewall settings
on the computers or a router.

Perhaps I'm asking a very naive question but why is it not enough to
enter into some configuration file (whether one for telnet or SSH or whatever) something which tells the relevant server "Only accept connections coming from a computer which is physically connected to the router through a cable" ?

You can, but it's your firewall's configuration that you need to
edit on the computer running the SSH server (or the router, as some
have suggested, but many cheap routers don't come with firewall
software).

I think my router has firewall functionality. But the router only has a web interface whereas I much prefer to use the command line so I'd rather do
things on the computers rather on the router. Plus , computer settings can
go on my back-ups.

What/how you edit depends on the firewall you're
running. If you're not running one, then pick one and this should
be a basic thing described in its documentation.

So there are different firewall choices ? Ok , this is getting too far from
my present knowledge for me for now. So I think that for the time being I
will go with SSH *with* password and not worry about firewalls.

So with such a set up , I'm guessing that anyone will be able to try
and connect to computer A but , as long as my password is secure enough ,
then it shouldn't be a problem. I'm guessing that it's possible to
configure SSH to log all attempts to log in (both successful and not)
and also have a delay after an unsuccessful attempt.

Do I have all this right ?

At least , it will be somewhat interesting to see how many random attempts
I get of people trying to log in to the computer.

Can the router itself be tricked in that regard ?

Only if people can get onto your LAN.

You mean physically get onto the LAN ?

In which case odds are
they'll be more interested in stealing access to your internet
connection than hacking into your old Debian machine anyway.

Is there no standard way for the router to pass the information
to the computer accepting connections ? Is the point to defend
from bugs in the router software ?

The firewall suggestion protects against potential devices on your
network that are already infected by some sort of malware. If the
router is infected then it won't help.

By the way , is the book "Linux firewalls" by Michael Rash still
considered relevant enough ?

--
I am writing this mail to you with serious tears in my eyes and great
sorrow in my heart
An email offering me 30% of $7,200,200

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-14 16:26, Spiros Bousbouras wrote:

On 13 Jun 2023 09:11:14 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

This thread has got a lot more popular than what I expected it to be.

...

To return to what you say above :

With Telnet I think this would need to be done in firewall settings
on the computers or a router.

Perhaps I'm asking a very naive question but why is it not enough to
enter into some configuration file (whether one for telnet or SSH or
whatever) something which tells the relevant server "Only accept
connections coming from a computer which is physically connected to the
router through a cable" ?

You can, but it's your firewall's configuration that you need to
edit on the computer running the SSH server (or the router, as some
have suggested, but many cheap routers don't come with firewall
software).

I think my router has firewall functionality. But the router only has a web interface whereas I much prefer to use the command line so I'd rather do things on the computers rather on the router. Plus , computer settings can
go on my back-ups.

Often routers have a telnet or ssh terminal, but do not document them.

But you are forgetting the computer firewall.

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 14 Jun 2023 16:34:52 +0200
"Carlos E. R." <robin_listas@es.invalid> wrote:

On 2023-06-14 16:26, Spiros Bousbouras wrote:

I think my router has firewall functionality. But the router only has a web interface whereas I much prefer to use the command line so I'd rather do things on the computers rather on the router. Plus , computer settings can go on my back-ups.

Often routers have a telnet or ssh terminal, but do not document them.

Is there a way to find out if mine does ?

But you are forgetting the computer firewall.

I'd still much prefer to explore the router's capabilities through the
command line rather than through a web interface.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14/06/2023 12:02, Carlos E.R. wrote:

On 2023-06-14 10:23, The Natural Philosopher wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on >>>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because >>>>>>>> "safely" probably means that you don't want plain-text passwords >>>>>>>> and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think >>>>>>> I'm missing your point.

Yeah, any secure passwordless authentication system has the same
issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A
over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're >>>>>> likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in
many aspects. Anyone with access to the LAN can see anything inside
the telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

   Mostly correct ... but you can still poll addresses
   looking for Telnet activity and then go from there.
   Switches don't/can't hide EVERYTHING ... there are
   numerous utilities that can still see a LOT going
   on in the local network. Try WireShark ...

No, you cant.

BTDTGTTS

You can only see broadcast traffic on other segments.
That might tell you a connection is being made, but once established
MAC addresses are used to limit propagation to only the segment where
the target machine resides. Thats what a switch *does*.

So?

The switch can put ports in mirror mode,

Not unless its managed and you have password access.

or a rogue switch can be

inserted in the cable.

In what cable?

I mean this is so bleeding stupid and *theoretical* it makes no sense.

reminds me of a security audit my chiefe engineer did on a company, to
test their firewall.

He came back and said.'Well I am glad that's over' 'Why? was there
something wrong with their firewalll' 'No. It was the list of roots
passwords pinned up behind the receptionist, and the 5 modems connected
to staff computers, behind the firewall on direct dial in lines, that I
found'

If someone has access to my physical lan they can stick a USB stick in
any one of my computers, boot live linux and have access to anything on it.

SSH isnt going to stop that.


If someone has the intent to look into traffic,

he will.

Yes, but the last way he would bother to try is installing some splitter
dongle on a switch based network

Nobody picks a Chubb lock when the door is already open


--
"When one man dies it's a tragedy. When thousands die it's statistics."

Josef Stalin

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14/06/2023 12:52, Rich wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on >>>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because >>>>>>>> "safely" probably means that you don't want plain-text passwords >>>>>>>> and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think >>>>>>> I'm missing your point.

Yeah, any secure passwordless authentication system has the same
issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A
over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're >>>>>> likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in many >>>>> aspects. Anyone with access to the LAN can see anything inside the
telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

  Mostly correct ... but you can still poll addresses
  looking for Telnet activity and then go from there.
  Switches don't/can't hide EVERYTHING ... there are
  numerous utilities that can still see a LOT going
  on in the local network. Try WireShark ...

No, you cant.

BTDTGTTS

You can only see broadcast traffic on other segments.
That might tell you a connection is being made, but once established MAC
addresses are used to limit propagation to only the segment where the
target machine resides. Thats what a switch *does*.

That is the normal state. But an active attacker can use a MAC
flooding attack (https://en.wikipedia.org/wiki/MAC_flooding) on the
switch to try to get it to trip into unicast flooding mode, at which
point the switch degrades to a hub (all packets broadcast on all
ports).

This is likely more effective on common 4-port switches for home use
vs. on 'enterprise grade' high end managed switches.

There is no one in my house except me, and I have an ancient 24 port
switch feeding my network.


--
It’s easier to fool people than to convince them that they have been fooled. Mark Twain

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 14/06/2023 12:52, Rich wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on >>>>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because >>>>>>>>> "safely" probably means that you don't want plain-text passwords >>>>>>>>> and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH. >>>>>>>>

Ideally , I don't want passwords at all , as I've said. But I think >>>>>>>> I'm missing your point.

Yeah, any secure passwordless authentication system has the same >>>>>>> issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A >>>>>>> over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're >>>>>>> likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in many >>>>>> aspects. Anyone with access to the LAN can see anything inside the >>>>>> telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

  Mostly correct ... but you can still poll addresses
  looking for Telnet activity and then go from there.
  Switches don't/can't hide EVERYTHING ... there are
  numerous utilities that can still see a LOT going
  on in the local network. Try WireShark ...

No, you cant.

BTDTGTTS

You can only see broadcast traffic on other segments.
That might tell you a connection is being made, but once established MAC >>> addresses are used to limit propagation to only the segment where the
target machine resides. Thats what a switch *does*.

That is the normal state. But an active attacker can use a MAC
flooding attack (https://en.wikipedia.org/wiki/MAC_flooding) on the
switch to try to get it to trip into unicast flooding mode, at which
point the switch degrades to a hub (all packets broadcast on all
ports).

This is likely more effective on common 4-port switches for home use
vs. on 'enterprise grade' high end managed switches.

There is no one in my house except me, and I have an ancient 24 port
switch feeding my network.

Agreed, if you have an "active attacker" in your house, you have much
bigger problems than the possibility of overflowing the switch's mac
address lookup tables.

My point was that a switch is not always a "segment isolator". Some of
them can be tricked into degrading into hubs.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Spiros Bousbouras <spibou@gmail.com> wrote:

On Mon, 12 Jun 2023 17:05:50 -0000 (UTC)
Rich <rich@example.invalid> wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Perhaps I'm asking a very naive question but why is it not enough to
enter into some configuration file (whether one for telnet or SSH or
whatever) something which tells the relevant server "Only accept
connections coming from a computer which is physically connected to
the router through a cable" ?

This is typically done by setting up a firewall rule.

I assume it's possible to set different restrictions for different internet ports , otherwise it seems like a much too crude solution.

Yes, at least for the Linux built in firewall, you can setup very fine
grained permissions (assuming you wish to enumerate and setup all the
rules)

For your stated "rule" above, and assuming by 'router' you actually
mean one of those boxes that is both a router and a 4-port ethernet
switch combination box,

Yes , that's what I mean.

you would add a rule to the machine's firewall to only accept
packets with a source IP of the local LAN. Which is most likely a
/24, so X.Y.Z.??? where X.Y.Z are the first three octets of your LAN's
IP address range, and ??? is anything.

The exact way to formulate and install such a rule requires more
specifics than we are cognizant of over USENET.

Something about your choice of words makes it sound very complicated !

I do not know your IP address range you are using. But to take an
example, the 10.0.0.0 IP range is one of the three "reserved for local
usage" ranges. Assuming you are giving your machines IP addresses of:

10.0.0.1, 10.0.0.12, 10.0.0.134, etc.

Then an appropriate rule could be (assuming Linux, iptables, an
otherwise empty INPUT chain, the INPUT chain configured to deny by
default, you wanting to block ssh, and sshd listening on port 22):

iptables -A INPUT -s 10.0.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

That says to only accept TCP packets that are destined for port 22 that
have a source IP of 10.0.0.0 through 10.0.0.255. Any packet with a
different source address would be blocked by the 'default deny' rule).

Note that "IP address of 10.0.0.X" is not 100% identical to "only
connected to router by cable" as there is no mechanism at the
networking layer for IP packets to know they are traversing cables
"only connected to the router". So doing your actual ask is
impossible. But denying any source IP other than the IP range used for
the local LAN is the closest possibility.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Spiros Bousbouras <spibou@gmail.com> wrote:

On 13 Jun 2023 09:11:14 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:

What/how you edit depends on the firewall you're running. If you're
not running one, then pick one and this should be a basic thing
described in its documentation.

So there are different firewall choices ? Ok , this is getting too
far from my present knowledge for me for now. So I think that for
the time being I will go with SSH *with* password and not worry about firewalls.

So with such a set up , I'm guessing that anyone will be able to try
and connect to computer A but , as long as my password is secure
enough , then it shouldn't be a problem. I'm guessing that it's
possible to configure SSH to log all attempts to log in (both
successful and not) and also have a delay after an unsuccessful
attempt.

Do I have all this right ?

Maybe -- or maybe not -- it depends upon the configuration of the box
you are referring to as "the router".

If it is a typical ISP provided combo box that connects to your ISP
DEMARC on one side, has a WiFi antenna to provide WiFi connections to
the location, and includes (usually) a four-port switch for connecting
to the local LAN, *and* if it is not configured to port-forward any
ports from the "ISP DEMARC" side over to the local lan side, *and* it
does not contain any zero-day exploits accessible from the "ISP DEMARC"
side, then no one on the internet will be able to make SSH connection
attempts to your machines on your local LAN.

But, if it does do port forwarding, and port forwarding is turned on,
then those forwarded ports allow for folks on the greater internet to
connect to whatever machine might be listening for those forwarded
ports on the local LAN.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Spiros Bousbouras <spibou@gmail.com> wrote:

On Wed, 14 Jun 2023 16:34:52 +0200
"Carlos E. R." <robin_listas@es.invalid> wrote:

On 2023-06-14 16:26, Spiros Bousbouras wrote:

I think my router has firewall functionality. But the router only
has a web interface whereas I much prefer to use the command line
so I'd rather do things on the computers rather on the router.
Plus , computer settings can go on my back-ups.

Often routers have a telnet or ssh terminal, but do not document
them.

Is there a way to find out if mine does ?

Run a nmap scan against the router from one of the internal machines.

If you find it does, then you'll have to experiment with how, exactly,
to log in.

But you are forgetting the computer firewall.

I'd still much prefer to explore the router's capabilities through
the command line rather than through a web interface.

If the router your ISP supplies does not give you a CLI interface
option, you are out of luck there with that desire.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-14 17:26, The Natural Philosopher wrote:

On 14/06/2023 12:02, Carlos E.R. wrote:

On 2023-06-14 10:23, The Natural Philosopher wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on >>>>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because >>>>>>>>> "safely" probably means that you don't want plain-text passwords >>>>>>>>> and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH. >>>>>>>>

Ideally , I don't want passwords at all , as I've said. But I think >>>>>>>> I'm missing your point.

Yeah, any secure passwordless authentication system has the same >>>>>>> issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A >>>>>>> over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're >>>>>>> likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in
many aspects. Anyone with access to the LAN can see anything
inside the telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

   Mostly correct ... but you can still poll addresses
   looking for Telnet activity and then go from there.
   Switches don't/can't hide EVERYTHING ... there are
   numerous utilities that can still see a LOT going
   on in the local network. Try WireShark ...

No, you cant.

BTDTGTTS

You can only see broadcast traffic on other segments.
That might tell you a connection is being made, but once established
MAC addresses are used to limit propagation to only the segment where
the target machine resides. Thats what a switch *does*.

So?

The switch can put ports in mirror mode,

Not unless its managed and you have password access.

 or a rogue switch can be

inserted in the cable.

In what cable?

What cable do you think it would be? :-)


--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-14 17:03, Spiros Bousbouras wrote:

On Wed, 14 Jun 2023 16:34:52 +0200
"Carlos E. R." <robin_listas@es.invalid> wrote:

On 2023-06-14 16:26, Spiros Bousbouras wrote:

I think my router has firewall functionality. But the router only has a web >>> interface whereas I much prefer to use the command line so I'd rather do >>> things on the computers rather on the router. Plus , computer settings can >>> go on my back-ups.

Often routers have a telnet or ssh terminal, but do not document them.

Is there a way to find out if mine does ?

Just try to connect to it, see if it answers :-)

Or run an nmap on it.

But you are forgetting the computer firewall.

I'd still much prefer to explore the router's capabilities through the command line rather than through a web interface.

We are not saying that. We say that your COMPUTER can also run a
firewall that can possibly do what you asked.


computer
+--------------+
| |
| |
| | router w firewall
| | +-----------+
| | | |
| | | |
+--------------+ | |
| firewall | | |
+---+----------+ +--|-|-|-|--+
| |
| cable /
\------------------------------------------




--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 14 Jun 2023 16:31:04 -0000 (UTC)
Rich <rich@example.invalid> wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

On Wed, 14 Jun 2023 16:34:52 +0200
"Carlos E. R." <robin_listas@es.invalid> wrote:

On 2023-06-14 16:26, Spiros Bousbouras wrote:

I think my router has firewall functionality. But the router only
has a web interface whereas I much prefer to use the command line
so I'd rather do things on the computers rather on the router.
Plus , computer settings can go on my back-ups.

Often routers have a telnet or ssh terminal, but do not document
them.

Is there a way to find out if mine does ?

Run a nmap scan against the router from one of the internal machines.

If you find it does, then you'll have to experiment with how, exactly,
to log in.

nmap 192.168.1.1
Interesting ports on 192.168.1.1:
Not shown: 1708 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
5000/tcp open upnp
8080/tcp open http-proxy
8443/tcp open https-alt

So I guess this means that the router is listening for SSH connections. So
the idea is to experiment with logging in and , if I manage to do this , try
to explore what I can do through the command line.

What do the other stuff mean ? I guess 80/tcp and 443/tcp are for
the web interface. Anyone knows or can guess what the rest is for ?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Spiros Bousbouras <spibou@gmail.com> wrote:

On Wed, 14 Jun 2023 16:31:04 -0000 (UTC)
Rich <rich@example.invalid> wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

On Wed, 14 Jun 2023 16:34:52 +0200
"Carlos E. R." <robin_listas@es.invalid> wrote:

On 2023-06-14 16:26, Spiros Bousbouras wrote:

I think my router has firewall functionality. But the router only
has a web interface whereas I much prefer to use the command line
so I'd rather do things on the computers rather on the router.
Plus , computer settings can go on my back-ups.

Often routers have a telnet or ssh terminal, but do not document
them.

Is there a way to find out if mine does ?

Run a nmap scan against the router from one of the internal machines.

If you find it does, then you'll have to experiment with how, exactly,
to log in.

nmap 192.168.1.1
Interesting ports on 192.168.1.1:
Not shown: 1708 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
5000/tcp open upnp
8080/tcp open http-proxy
8443/tcp open https-alt

So I guess this means that the router is listening for SSH connections. So the idea is to experiment with logging in and , if I manage to do this , try to explore what I can do through the command line.

What do the other stuff mean ? I guess 80/tcp and 443/tcp are for
the web interface. Anyone knows or can guess what the rest is for ?

upnp is for the /helpful/ ability of other devices on the local LAN to
poke holes in the firewall so they can be contacted by machines on the
internet side. https://en.wikipedia.org/wiki/Upnp

If 'http-proxy' is meaningful, that is an http proxy service (why, or
where it proxies, is unknown to us).

https-alt might simply be a "tls" version of the 8080 port. Why those
two are there, and what they are meant for, is unknown.

It does look to expose an ssh listener (at least "something" is
listening on port 22 -- it may or may not be an sshd). So you'll now
need to do a little 'investigaating' of what you can find by trying to
connect.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14/06/2023 17:31, Rich wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

On Wed, 14 Jun 2023 16:34:52 +0200
"Carlos E. R." <robin_listas@es.invalid> wrote:

On 2023-06-14 16:26, Spiros Bousbouras wrote:

I think my router has firewall functionality. But the router only
has a web interface whereas I much prefer to use the command line
so I'd rather do things on the computers rather on the router.
Plus , computer settings can go on my back-ups.

Often routers have a telnet or ssh terminal, but do not document
them.

Is there a way to find out if mine does ?

Run a nmap scan against the router from one of the internal machines.

If you find it does, then you'll have to experiment with how, exactly,
to log in.

But you are forgetting the computer firewall.

I'd still much prefer to explore the router's capabilities through
the command line rather than through a web interface.

If the router your ISP supplies does not give you a CLI interface
option, you are out of luck there with that desire.

You can supply your own router.

However the default situation is that unless you specifically enable
port forwarding there will be none, and inbound access from the internet
to machines behind the router will be blocked.

If you are excessively paranoid you can configure sshd to only respond
to local IP addresses only, which is another layer of (effective)
firewall, and for a third you can setup a linux firewall as well, to do
the same.

I bet people here would. I have sshd access port forwarded to my server
and accessible from all over the internet. So I can access it from
anywhere with a laptop

Its on a strange port. Even I have to look it up before going on
holiday. The logs reveal no one has even scanned that port yet and its
been like that for years. I think it needs a public key to log in so
trying with a name/password is nbg anyway.

I set it up before going abroad. I am not sure it even still works

There is no firewall, as I have no idea what IP address ,my laptop might
end up on. The chances of someone guessing an RSA key are vanishingly small.

And that key only is associated with my user login. They would still
need another password to sudo or login as root.

Why you don't want to use the routers web interface is beyond me. their
CLI interfaces are out of the ark usually. I only use mine because there
is one piece of data I cant get out of it using snmp

Yes, I log traffic every 5 minutes through my router. I've found some
very nasty websites that way. Using me as a proxy server I think.

--
To ban Christmas, simply give turkeys the vote.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14/06/2023 17:21, Rich wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 14/06/2023 12:52, Rich wrote:

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on >>>>>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because >>>>>>>>>> "safely" probably means that you don't want plain-text passwords >>>>>>>>>> and anything else will mean raising version incompatibility >>>>>>>>>> problems with authentication systems such as are used by SSH. >>>>>>>>>

Ideally , I don't want passwords at all , as I've said. But I think >>>>>>>>> I'm missing your point.

Yeah, any secure passwordless authentication system has the same >>>>>>>> issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A >>>>>>>> over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're >>>>>>>> likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in many >>>>>>> aspects. Anyone with access to the LAN can see anything inside the >>>>>>> telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

  Mostly correct ... but you can still poll addresses
  looking for Telnet activity and then go from there.
  Switches don't/can't hide EVERYTHING ... there are
  numerous utilities that can still see a LOT going
  on in the local network. Try WireShark ...

No, you cant.

BTDTGTTS

You can only see broadcast traffic on other segments.
That might tell you a connection is being made, but once established MAC >>>> addresses are used to limit propagation to only the segment where the
target machine resides. Thats what a switch *does*.

That is the normal state. But an active attacker can use a MAC
flooding attack (https://en.wikipedia.org/wiki/MAC_flooding) on the
switch to try to get it to trip into unicast flooding mode, at which
point the switch degrades to a hub (all packets broadcast on all
ports).

This is likely more effective on common 4-port switches for home use
vs. on 'enterprise grade' high end managed switches.

There is no one in my house except me, and I have an ancient 24 port
switch feeding my network.

Agreed, if you have an "active attacker" in your house, you have much
bigger problems than the possibility of overflowing the switch's mac
address lookup tables.

My point was that a switch is not always a "segment isolator". Some of
them can be tricked into degrading into hubs.

Needs a lot more sophistication than simply booting the computer from a
live distro and accessing its file system as root..
People have to actually *think* about security and how they would attack
a given system.
In most cases hacking the wifi from a van parked outside using brute
force at 3.a.m. would be a lot easier than flooding a switch.
Especially if you 'ca,me to read the gas meter' the day before and took
a photo on your smart phone of the default wifi password on the ISP
supplied hub, which the ISP support droid will insist you reset it to if
there is any problem at all.



--
The higher up the mountainside
The greener grows the grass.
The higher up the monkey climbs
The more he shows his arse.

Traditional

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14/06/2023 17:46, Carlos E. R. wrote:

On 2023-06-14 17:26, The Natural Philosopher wrote:

On 14/06/2023 12:02, Carlos E.R. wrote:

On 2023-06-14 10:23, The Natural Philosopher wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on >>>>>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because >>>>>>>>>> "safely" probably means that you don't want plain-text passwords >>>>>>>>>> and anything else will mean raising version incompatibility >>>>>>>>>> problems with authentication systems such as are used by SSH. >>>>>>>>>

Ideally , I don't want passwords at all , as I've said. But I >>>>>>>>> think
I'm missing your point.

Yeah, any secure passwordless authentication system has the same >>>>>>>> issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A >>>>>>>> over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're >>>>>>>> likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in >>>>>>> many aspects. Anyone with access to the LAN can see anything
inside the telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

   Mostly correct ... but you can still poll addresses
   looking for Telnet activity and then go from there.
   Switches don't/can't hide EVERYTHING ... there are
   numerous utilities that can still see a LOT going
   on in the local network. Try WireShark ...

No, you cant.

BTDTGTTS

You can only see broadcast traffic on other segments.
That might tell you a connection is being made, but once established
MAC addresses are used to limit propagation to only the segment
where the target machine resides. Thats what a switch *does*.

So?

The switch can put ports in mirror mode,

Not unless its managed and you have password access.

  or a rogue switch can be

inserted in the cable.

In what cable?

What cable do you think it would be? :-)

I have no idea. All my cables are buried in the walls.
Except where they emerge and go into my computers. And I would notice in
5 seconds if they had a switch dangling off them.

I mean, aliens could land and probe my brain, do you think I need a
firewall for that, too?

Is there anything in it worth stealing?
--
"What do you think about Gay Marriage?"
"I don't."
"Don't what?"
"Think about Gay Marriage."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Computer Nerd Kev <not@telling.you.invalid> writes:

Richard Kettlewell <invalid@invalid.invalid> wrote:

Eventually older ciphers do get disabled, for good reason. The
sensible thing to do at that point is upgrade the older endpoints,
rather than falling back to telnet.

It's two computers on his home network connected via Ethernet, why use
SSH in the first place? Forget falling back to Telnet, I'd start with
it and not have to worry about ciphers in the first place.

SSH is quicker and easier. No need for manual password entry, and it encompasses remote login, remote command execution and file transfer in
a single authentication model.

I’ve not had to worry much about cryptographic choices to actually get
SSH working, in the last quarter century.

I do take an interest in them professionally, but that’s about the
security and compliance characteristics of our product, not because we
want to communicate with thoroughly obsolete platforms.

--
https://www.greenend.org.uk/rjk/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14/06/2023 19:16, Spiros Bousbouras wrote:

On Wed, 14 Jun 2023 16:31:04 -0000 (UTC)
Rich <rich@example.invalid> wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

On Wed, 14 Jun 2023 16:34:52 +0200
"Carlos E. R." <robin_listas@es.invalid> wrote:

On 2023-06-14 16:26, Spiros Bousbouras wrote:

I think my router has firewall functionality. But the router only
has a web interface whereas I much prefer to use the command line
so I'd rather do things on the computers rather on the router.
Plus , computer settings can go on my back-ups.

Often routers have a telnet or ssh terminal, but do not document
them.

Is there a way to find out if mine does ?

Run a nmap scan against the router from one of the internal machines.

If you find it does, then you'll have to experiment with how, exactly,
to log in.

nmap 192.168.1.1
Interesting ports on 192.168.1.1:
Not shown: 1708 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain

DNS. If you set the router to be a local DNS proxy in your DHCP
configuration, yiour local lAN machines will use this port to do DNS queries

80/tcp open http
443/tcp open https
5000/tcp open upnp

Gaming protocol IIRC. It is generally regarded by geeks as insecure and
a security risk, and by many other people as indispensable to run peer
to peer games over. It allows applications to open up port forwarding to themselves so other people can connect to them from the internet.
Ive got it enabled. I cant even remember why I needed to

8080/tcp open http-proxy

Web proxy server. Probably completely useless.

8443/tcp open https-alt

Probably an alternative to port 80 for the management web server in case
you want to redirect port 80 to an internal web server on your LAN

So I guess this means that the router is listening for SSH connections. So the idea is to experiment with logging in and , if I manage to do this , try to explore what I can do through the command line.

Generally typing a question mark is a good place to start. Most of these routers run a stripped down linux with busybox on them as a shell

What do the other stuff mean ? I guess 80/tcp and 443/tcp are for
the web interface. Anyone knows or can guess what the rest is for ?

See above
--
To ban Christmas, simply give turkeys the vote.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14/06/2023 21:27, Carlos E. R. wrote:

On 2023-06-14 21:07, The Natural Philosopher wrote:

On 14/06/2023 17:46, Carlos E. R. wrote:

On 2023-06-14 17:26, The Natural Philosopher wrote:

On 14/06/2023 12:02, Carlos E.R. wrote:

On 2023-06-14 10:23, The Natural Philosopher wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on. >>>>>>>>>

...

3. Can it be done safely without having to enter a password on >>>>>>>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you >>>>>>>>>>>> because
"safely" probably means that you don't want plain-text >>>>>>>>>>>> passwords
and anything else will mean raising version incompatibility >>>>>>>>>>>> problems with authentication systems such as are used by SSH. >>>>>>>>>>>

Ideally , I don't want passwords at all , as I've said. But I >>>>>>>>>>> think
I'm missing your point.

Yeah, any secure passwordless authentication system has the same >>>>>>>>>> issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A >>>>>>>>>> over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe" >>>>>>>>>> against all attacks. Probably safe against any attacks that >>>>>>>>>> you're
likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe >>>>>>>>> in many aspects. Anyone with access to the LAN can see anything >>>>>>>>> inside the telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

   Mostly correct ... but you can still poll addresses
   looking for Telnet activity and then go from there.
   Switches don't/can't hide EVERYTHING ... there are
   numerous utilities that can still see a LOT going
   on in the local network. Try WireShark ...

No, you cant.

BTDTGTTS

You can only see broadcast traffic on other segments.
That might tell you a connection is being made, but once
established MAC addresses are used to limit propagation to only
the segment where the target machine resides. Thats what a switch
*does*.

So?

The switch can put ports in mirror mode,

Not unless its managed and you have password access.

  or a rogue switch can be

inserted in the cable.

In what cable?

What cable do you think it would be? :-)

I have no idea. All my cables are buried in the walls.

Mine aren't.

Not my problem. If they aren't, well you can see them then, can't you?
all covered in alien probes etc etc

Except where they emerge and go into my computers. And I would notice
in 5 seconds if they had a switch dangling off them.

I wouldn't, I don't inspect the 50 metres every day. There is furniture
in the way.

Well patently you *should* as you consider they are a security risk. And
your computers have more state secrets than Donald Trumps bog.

I mean, aliens could land and probe my brain, do you think I need a
firewall for that, too?

An aluminum foil hat is said to help :-D

It's 'aluminium' over here.
And I suspect it would help just as much as configuring my computer to
reject addresses from some random Internet routing block when they cant
get past the NAT router anyway.


--
If I had all the money I've spent on drink...
..I'd spend it on drink.

Sir Henry (at Rawlinson's End)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The Natural Philosopher <tnp@invalid.invalid> wrote:

On 14/06/2023 17:31, Rich wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

On Wed, 14 Jun 2023 16:34:52 +0200
"Carlos E. R." <robin_listas@es.invalid> wrote:

On 2023-06-14 16:26, Spiros Bousbouras wrote:

I think my router has firewall functionality. But the router only
has a web interface whereas I much prefer to use the command line
so I'd rather do things on the computers rather on the router.
Plus , computer settings can go on my back-ups.

Often routers have a telnet or ssh terminal, but do not document
them.

Is there a way to find out if mine does ?

Run a nmap scan against the router from one of the internal machines.

If you find it does, then you'll have to experiment with how, exactly,
to log in.

But you are forgetting the computer firewall.

I'd still much prefer to explore the router's capabilities through
the command line rather than through a web interface.

If the router your ISP supplies does not give you a CLI interface
option, you are out of luck there with that desire.

You can supply your own router.

Indeed, and in my case (I'm not the OP, but much of your reply implies
you meant it for the OP) I do not use the ISP supplied router and
instead use my own.

However the default situation is that unless you specifically enable
port forwarding there will be none, and inbound access from the
internet to machines behind the router will be blocked.

That is usually the case, but the OP has not told us which ISP nor what
router, and for some combinations of the two, the ISP very well may
configure their routers for some default port forwards. A prime
candidate would be ports needed for remote windows admin, if their
on-call folks also helpfully offer to "help you debug issues" when one
calls them with issues.

Why you don't want to use the routers web interface is beyond me.
their CLI interfaces are out of the ark usually. I only use mine
because there is one piece of data I cant get out of it using snmp

Not OP, so I'm not the one bellyaching to gain CLI access (I have CLI
access to my router, as it is just another Linux machine with plural
ethernet cards plugged in, configured to route and firewall). As to
the OP, I've no idea why, other than for the set of ISP router web
config panels I've seen while helping friends indicates that at least
those were written by the lowest bidder, using developers who only knew
English and networking terms by looking them up in a "native language to English dictionary". I.e., the web interfaces were absolute crap the
moment one wanted to do anything beyond "reset to defaults".

So given that experience, I can sympathize with the OP's wish for CLI
access, but sadly, even if he can log in over that ssh port that is
listening, he may find that the CLI side is just as much a crap-shoot
as the web interface.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-14 21:07, The Natural Philosopher wrote:

On 14/06/2023 17:46, Carlos E. R. wrote:

On 2023-06-14 17:26, The Natural Philosopher wrote:

On 14/06/2023 12:02, Carlos E.R. wrote:

On 2023-06-14 10:23, The Natural Philosopher wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on. >>>>>>>>

...

3. Can it be done safely without having to enter a password on >>>>>>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because >>>>>>>>>>> "safely" probably means that you don't want plain-text passwords >>>>>>>>>>> and anything else will mean raising version incompatibility >>>>>>>>>>> problems with authentication systems such as are used by SSH. >>>>>>>>>>

Ideally , I don't want passwords at all , as I've said. But I >>>>>>>>>> think
I'm missing your point.

Yeah, any secure passwordless authentication system has the same >>>>>>>>> issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A >>>>>>>>> over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe" >>>>>>>>> against all attacks. Probably safe against any attacks that you're >>>>>>>>> likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in >>>>>>>> many aspects. Anyone with access to the LAN can see anything
inside the telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

   Mostly correct ... but you can still poll addresses
   looking for Telnet activity and then go from there.
   Switches don't/can't hide EVERYTHING ... there are
   numerous utilities that can still see a LOT going
   on in the local network. Try WireShark ...

No, you cant.

BTDTGTTS

You can only see broadcast traffic on other segments.
That might tell you a connection is being made, but once
established MAC addresses are used to limit propagation to only the
segment where the target machine resides. Thats what a switch *does*. >>>>

So?

The switch can put ports in mirror mode,

Not unless its managed and you have password access.

  or a rogue switch can be

inserted in the cable.

In what cable?

What cable do you think it would be? :-)

I have no idea. All my cables are buried in the walls.

Mine aren't.

Except where they emerge and go into my computers. And I would notice in
5 seconds if they had a switch dangling off them.

I wouldn't, I don't inspect the 50 metres every day. There is furniture
in the way.

I mean, aliens could land and probe my brain, do you think I need a
firewall for that, too?

An aluminum foil hat is said to help :-D

Is there anything in it worth stealing?

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Spiros Bousbouras <spibou@gmail.com> wrote:

On 13 Jun 2023 09:11:14 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:

What/how you edit depends on the firewall you're
running. If you're not running one, then pick one and this should
be a basic thing described in its documentation.

So there are different firewall choices ? Ok , this is getting too far from my present knowledge for me for now. So I think that for the time being I will go with SSH *with* password and not worry about firewalls.

Sure, and actually you shouldn't need to worry about firewalls with
passwords over Telnet in your case either because people shouldn't
be able to listen into your communications unless they've hacked
into your router. It was only for if you wanted to disable
passwords entirely and let any connection through unchallenged.
With SSH you can use a public key as a better passwordless log-in
option, if it works.

So with such a set up , I'm guessing that anyone will be able to try
and connect to computer A but , as long as my password is secure enough , then it shouldn't be a problem. I'm guessing that it's possible to
configure SSH to log all attempts to log in (both successful and not)
and also have a delay after an unsuccessful attempt.

Do I have all this right ?

Sure. The log-in retry delay is default.

At least , it will be somewhat interesting to see how many random attempts
I get of people trying to log in to the computer.

Unless you've set up port forwarding to the internet for computer A
then I don't think you'll ever see anyone but yourself trying to
log in.

Can the router itself be tricked in that regard ?

Only if people can get onto your LAN.

You mean physically get onto the LAN ?

I mean be able to connect to your router via Ethernet or WiFi.
Physical access is obviously required for Ethernet. WiFi should be
OK if the encryption is, or nobody else is ever anywhere within
range.

The firewall suggestion protects against potential devices on your
network that are already infected by some sort of malware. If the
router is infected then it won't help.

By the way , is the book "Linux firewalls" by Michael Rash still
considered relevant enough ?

You don't need a book. You've got iptables and, since Debian 10,
nftables which can pretend to be iptables. But if you just want to
block connections to specific ports there are far simpler (and more
foolproof) ways to tackle that.

ufw seems popular for Debian/Devuan and should be set up to do what
you want with just a few short commands: https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Ivan Shmakov <ivan@siamics.netnospam.invalid> wrote:

On 2023-06-12, Computer Nerd Kev wrote:

I'm posting from Debian version 3 right now, so that makes sense
to me, but it did occur to me afterwards that the OP may have
meant an old but still supported Debian version.

While I'm no stranger to running unmaintained software (or
versions thereof) myself, I'm curious what could be the reason
to run a no longer supported version of Debian specifically?
(With i686 in User-Agent:, I'd venture to guess it's not a
matter of having hardware no longer supported by Debian?)

It's set up how I like, runs old software I like without having to
patch it myself to make it build for later GCC or libraries, and
runs much faster (possibly also better, in terms of supported
drivers) on old computers that I still use. Actually I don't think
current Debian would run on the PC I'm posting from now either
(that i686 has changed to an i586).

But indeed up to a point you can enable many depreciated options
with the "ciphers" and "KexAlgorithms" settings in
/etc/ssh/sshd_config on "computer A".

But if you can just use Telnet happily on a secure LAN, then this
is all lots of unnecessary work

Not everyone of us can quite 'afford' a secure LAN. Some of
us use 'insecure' computers, be that Windows laptops, Android
TVs, or Wi-Fi-connected smartphones; or have family members
who use those. And while it /might/ be 'physically' possible
to have two LANs, one secure and one not, such a solution
increases maintenance burden.

OK, fair enough, although using virtual LANs on a supported router
might make keeping separate LANs easier than you think.

More to the point is that Telnet is a poor substitute for the
'remote shell' function. I have scripts that will run
ssh -- REMOTE COMMAND for a given REMOTE, and I'd rather not
specialcase 'REMOTE is on secure LAN' vs. 'REMOTE is Internet.'

I have scripts where REMOTE = HOSTNAME is specialcased, though.
There, COMMAND would be passed to sh -c instead.

I use 'remote shell' for running all sorts of commands remotely.
I will $ ssh -- REMOTE tar --lzip -c -- . > REMOTE-backup.tar.lz
one day, and I will $ ssh -- REMOTE mpg123 -q -- - < FILE.mp3
another. (Or, rather, I will run a script that runs $MPG123
with MPG123="ssh -- REMOTE mpg123" set in its environment.)

And of course I use Rsync over SSH extensively, be that for
backups or for pushing new versions of ~/.bashrc et al. from
my primary box to every other *nix home directory I have.

I suppose with some 'necessary work' I can do the things
above with Telnet as well, but I'd think that by that point,
resurrecting RSH would be a more straightforward solution.

Sure, I don't try to use Telnet for anything but terminal access.
But the other tools without encryption do the same job with much
less to go wrong. You've got RSH, also Rexec, FTP, Rsync (without
SSH), etc.

The latest SSH annoyance I've has is a system I set up with current
software only three years ago now needing a redesign because of the
present switch from SCP to SFTP. If I'd used RCP, or more likely
FTP, instead, no problem. Actually that one is over the internet,
but as it's only uploading public info anyway, an unencrypted
write-only FTP account could have been used with the only risk
being that someone will fill up the storage space with rubbish one
day, and that wouldn't do them any good because it wouldn't be
retrievable by anyone but me.

(especially because SSH isn't very helpful with its error messages,
and old versions don't support the -Q option).

Well, cannot quite argue with that. If anything, I haven't yet
figured out how to connect to my OpenSSH instances with SSH2DOS.

Yes well I'd definately look for a Telnet client there, but I never
have used networking in DOS. I do boot into it on this computer and
use files that I copied over the network earlier while booted into
Linux though. Handy for old (or home made to old designs) hardware
that only works with MSDOS software (there's no way that I'd mess
about trying to get that to work via QEMU etc., before someone
mentions emulation/virtualisation).

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-14 22:51, The Natural Philosopher wrote:

On 14/06/2023 21:27, Carlos E. R. wrote:

On 2023-06-14 21:07, The Natural Philosopher wrote:

...

I mean, aliens could land and probe my brain, do you think I need a
firewall for that, too?

An aluminum foil hat is said to help :-D

It's 'aluminium' over here.

The spell checker says 'aluminium' is wrong :-p

And I suspect it would help just as much as configuring my computer to
reject addresses from some random Internet routing block when they cant
get past the NAT router anyway.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 15/06/2023 11:52, Carlos E.R. wrote:

On 2023-06-14 22:51, The Natural Philosopher wrote:

On 14/06/2023 21:27, Carlos E. R. wrote:

On 2023-06-14 21:07, The Natural Philosopher wrote:

...

I mean, aliens could land and probe my brain, do you think I need a
firewall for that, too?

An aluminum foil hat is said to help :-D

It's 'aluminium' over here.

The spell checker says 'aluminium' is wrong :-p

Well that is typically American, US is Right, everywhere else is wrong.
Try selecting the Afrikaans dictionary instead



--
“it should be clear by now to everyone that activist environmentalism
(or environmental activism) is becoming a general ideology about humans,
about their freedom, about the relationship between the individual and
the state, and about the manipulation of people under the guise of a
'noble' idea. It is not an honest pursuit of 'sustainable development,'
a matter of elementary environmental protection, or a search for
rational mechanisms designed to achieve a healthy environment. Yet
things do occur that make you shake your head and remind yourself that
you live neither in Joseph Stalin’s Communist era, nor in the Orwellian utopia of 1984.”

Vaclav Klaus

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 15 Jun 2023 09:04:58 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

On 13 Jun 2023 09:11:14 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:
So with such a set up , I'm guessing that anyone will be able to try
and connect to computer A but , as long as my password is secure enough , then it shouldn't be a problem. I'm guessing that it's possible to configure SSH to log all attempts to log in (both successful and not)
and also have a delay after an unsuccessful attempt.

Do I have all this right ?

Sure. The log-in retry delay is default.

At least , it will be somewhat interesting to see how many random attempts I get of people trying to log in to the computer.

Unless you've set up port forwarding to the internet for computer A
then I don't think you'll ever see anyone but yourself trying to
log in.

Still , I can get SSH to log them , yes ?

Can the router itself be tricked in that regard ?

Only if people can get onto your LAN.

You mean physically get onto the LAN ?

I mean be able to connect to your router via Ethernet or WiFi.
Physical access is obviously required for Ethernet. WiFi should be
OK if the encryption is, or nobody else is ever anywhere within
range.

Since the router is recent enough , hopefully encryption is ok. I see plenty
of (not my) signals on wireless devices so I assume that other people can see my wireless signal when it's on.

By the way , is the book "Linux firewalls" by Michael Rash still
considered relevant enough ?

You don't need a book.

I want it for general knowledge too. Every time I see networks discussion online , there are many terms I'm not familiar with and I don't seem to
learn this stuff by osmosis either. So I want a more systematic approach.

ufw seems popular for Debian/Devuan and should be set up to do what
you want with just a few short commands: https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29

Thanks , I'll have a look into that.

--
vlaho.ninja/prog

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 14 Jun 2023 20:04:58 +0100
The Natural Philosopher <tnp@invalid.invalid> wrote:

On 14/06/2023 17:31, Rich wrote:

If the router your ISP supplies does not give you a CLI interface
option, you are out of luck there with that desire.

You can supply your own router.

I know. If I ever reach a point where I have to often modify the router settings , I may follow this option. But for now I rarely have to modify them so I just grit my teeth and use the web interface.

However the default situation is that unless you specifically enable
port forwarding there will be none, and inbound access from the internet
to machines behind the router will be blocked.

If you are excessively paranoid you can configure sshd to only respond
to local IP addresses only, which is another layer of (effective)
firewall,

Ahh ok , I asked about this earlier and was told to use a firewall. Also <sc6kljx4pf.ln2@Telcontar.valinor> says

You can limit connections to the IP range given by your router, but an
intruder might fake that.

and for a third you can setup a linux firewall as well, to do
the same.

I'm trying not to spend too long on this. I started the thread in order to learn which programme I should use to achieve my task and how to configure
it. Learning about firewalls on top of that is an extra complication I'd
rather avoid for now.

Why you don't want to use the routers web interface is beyond me. their
CLI interfaces are out of the ark usually. I only use mine because there
is one piece of data I cant get out of it using snmp

In general , I prefer CLIs than <point and click>. For one thing , with a
CLI I can automatically record all the exchanges so that I will know in
the future what I did but with a <point and click> interface I would have
to keep notes ; something like ,

I chose menu ABC and from that submenu DEF and changed option 2 from
X to Y.

It's extra work and boring work to boot. Apart from that , my router not only seems to offer only a web interface but it requires javascript too for the login screen to function. I don't like complexity for the sake of complexity and obviously you don't need javascript to type a username and password. In addition , I normally do almost all my browsing using a text based browser.
So instead I have to start a graphical browser just to inspect and possibly change some stupid router settings. I don't like to be made to jump through hoops and this whole thing very much makes me jump through hoops and I resent that.

--
Like an oyster coating an impurity to produce a pearl, a Hollywood movie typically encases and suppresses the issue or event it is based on. Put
another way, it is the final washing of the hands after history has gone to
the bathroom.
http://www.spectacle.org/195/schindl.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 6/15/23 15:14, Spiros Bousbouras wrote:

On 15 Jun 2023 09:04:58 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

At least , it will be somewhat interesting to see how many random attempts >>> I get of people trying to log in to the computer.

Unless you've set up port forwarding to the internet for computer A
then I don't think you'll ever see anyone but yourself trying to
log in.

Still , I can get SSH to log them , yes ?

It will by default. On Debian systems, sshd logs all connection
attempts, whether they succeed or fail, to /var/log/auth.log as
configured when installed.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 14 Jun 2023 20:17:05 +0100
The Natural Philosopher <tnp@invalid.invalid> wrote:

On 14/06/2023 19:16, Spiros Bousbouras wrote:

On Wed, 14 Jun 2023 16:31:04 -0000 (UTC)
nmap 192.168.1.1
Interesting ports on 192.168.1.1:
Not shown: 1708 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain

DNS. If you set the router to be a local DNS proxy in your DHCP configuration, yiour local lAN machines will use this port to do DNS queries

80/tcp open http
443/tcp open https
5000/tcp open upnp

Gaming protocol IIRC. It is generally regarded by geeks as insecure and
a security risk, and by many other people as indispensable to run peer
to peer games over. It allows applications to open up port forwarding to themselves so other people can connect to them from the internet.
Ive got it enabled. I cant even remember why I needed to

wikipedia also says that it is a security risk so I'll turn this off.

8080/tcp open http-proxy

Web proxy server. Probably completely useless.

8443/tcp open https-alt

Probably an alternative to port 80 for the management web server in case
you want to redirect port 80 to an internal web server on your LAN

Thanks for all the info.

So I guess this means that the router is listening for SSH connections. So the idea is to experiment with logging in and , if I manage to do this , try
to explore what I can do through the command line.

Generally typing a question mark is a good place to start. Most of these routers run a stripped down linux with busybox on them as a shell

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 14 Jun 2023 16:28:09 -0000 (UTC)
Rich <rich@example.invalid> wrote:

Maybe -- or maybe not -- it depends upon the configuration of the box
you are referring to as "the router".

If it is a typical ISP provided combo box

Technicolor DGA4134 .

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 14 Jun 2023 16:18:51 -0000 (UTC)
Rich <rich@example.invalid> wrote:

Note that "IP address of 10.0.0.X" is not 100% identical to "only
connected to router by cable" as there is no mechanism at the
networking layer for IP packets to know they are traversing cables
"only connected to the router". So doing your actual ask is
impossible. But denying any source IP other than the IP range used for
the local LAN is the closest possibility.

Let me ask something for my general education. The router can know whether
some packets came from the part of its hardware which deals with WiFi as opposed to ethernet ports. So would it be possible to have a router based firewall which has different restrictions for WiFi accesses vs ethernet accesses ?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Spiros Bousbouras <spibou@gmail.com> wrote:

On Wed, 14 Jun 2023 16:18:51 -0000 (UTC)
Rich <rich@example.invalid> wrote:

Note that "IP address of 10.0.0.X" is not 100% identical to "only
connected to router by cable" as there is no mechanism at the
networking layer for IP packets to know they are traversing cables
"only connected to the router". So doing your actual ask is
impossible. But denying any source IP other than the IP range used for
the local LAN is the closest possibility.

Let me ask something for my general education. The router can know whether some packets came from the part of its hardware which deals with WiFi as opposed to ethernet ports. So would it be possible to have a router based firewall which has different restrictions for WiFi accesses vs ethernet accesses ?

Assuming a /typical/ setup, the WiFi would be a separate network
interface (i.e., wlan0 instead of eth0) and therefore you can filter
(at least with Linux's firewall) based on the network interface the
packet arrived on, or is going towards.

If the WiFi assigned IP addresses are separate from the wired ethernet addresses, then you can also filter on the IP addresses (as source, destination, or both).

If WiFi shares a common pool of IP addresses with wired, and a given IP
might be handed out to WiFi one day, and a wired device the next, then filtering on IP would not work (as the IP would not say where the
packet came from or is going to).

As to what capabilities might be exposed by the firmware in your ISP's
router, none of us know. But it is a reasonable assumption to state
that what the firmware might expose is likely only a small subset of
what the full Linux firewall can perform.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Spiros Bousbouras <spibou@gmail.com> wrote:

On 15 Jun 2023 09:04:58 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

On 13 Jun 2023 09:11:14 +1000
not@telling.you.invalid (Computer Nerd Kev) wrote:
So with such a set up , I'm guessing that anyone will be able to try
and connect to computer A but , as long as my password is secure enough , >> > then it shouldn't be a problem. I'm guessing that it's possible to
configure SSH to log all attempts to log in (both successful and not)
and also have a delay after an unsuccessful attempt.

Do I have all this right ?

Sure. The log-in retry delay is default.

At least , it will be somewhat interesting to see how many random attempts >> > I get of people trying to log in to the computer.

Unless you've set up port forwarding to the internet for computer A
then I don't think you'll ever see anyone but yourself trying to
log in.

Still , I can get SSH to log them , yes ?

Yes.

Can the router itself be tricked in that regard ?

Only if people can get onto your LAN.

You mean physically get onto the LAN ?

I mean be able to connect to your router via Ethernet or WiFi.
Physical access is obviously required for Ethernet. WiFi should be
OK if the encryption is, or nobody else is ever anywhere within
range.

Since the router is recent enough , hopefully encryption is ok.

Ought to be. If the ISP stuffed up the default WiFi settings that
seriously, then lots of their customers would start having people
steal access to their internet, so presumably they can't be that
bad at setting them.

I see plenty
of (not my) signals on wireless devices so I assume that other
people can see my wireless signal when it's on.

As a separate thing to the encryption you can also set WiFi ESSID
broadcasting (or some similarly labeled setting) off on most such
routers. This means that typical devices won't be able to see your
"wireless signal" as a connection option. You then have to specify
the name of your network manually on devices that connect with it.
The OpenWrt docs also advise: "Where the ESSID is hidden, clients
may fail to roam and airtime efficiency may be significantly
reduced."

By the way , is the book "Linux firewalls" by Michael Rash still
considered relevant enough ?

You don't need a book.

I want it for general knowledge too. Every time I see networks discussion online , there are many terms I'm not familiar with and I don't seem to
learn this stuff by osmosis either. So I want a more systematic approach.

OK, but I really wouldn't avoid setting up a firewall just because
you haven't got through a book on Linux networking/firewalls. For
what you're trying to do it's dead easy, and UFW and others are
designed to make it so.

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 6/15/23 6:15 PM, Rich wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

On Wed, 14 Jun 2023 16:18:51 -0000 (UTC)
Rich <rich@example.invalid> wrote:

Note that "IP address of 10.0.0.X" is not 100% identical to "only
connected to router by cable" as there is no mechanism at the
networking layer for IP packets to know they are traversing cables
"only connected to the router". So doing your actual ask is
impossible. But denying any source IP other than the IP range used for
the local LAN is the closest possibility.

Let me ask something for my general education. The router can know whether >> some packets came from the part of its hardware which deals with WiFi as
opposed to ethernet ports. So would it be possible to have a router based
firewall which has different restrictions for WiFi accesses vs ethernet
accesses ?

Assuming a /typical/ setup, the WiFi would be a separate network
interface (i.e., wlan0 instead of eth0) and therefore you can filter
(at least with Linux's firewall) based on the network interface the
packet arrived on, or is going towards.

If the WiFi assigned IP addresses are separate from the wired ethernet addresses, then you can also filter on the IP addresses (as source, destination, or both).

If WiFi shares a common pool of IP addresses with wired, and a given IP
might be handed out to WiFi one day, and a wired device the next, then filtering on IP would not work (as the IP would not say where the
packet came from or is going to).

As to what capabilities might be exposed by the firmware in your ISP's router, none of us know. But it is a reasonable assumption to state
that what the firmware might expose is likely only a small subset of
what the full Linux firewall can perform.

OK .. face the awful awful Truth - THERE IS NO REAL
"Protection". There are a zillion ways to tap your
traffic, sneak into your boxes, trick your users. It's
TOO MANY to cope with. Your best defense is obscurity,
being beneath notice, having nothing of value.

All the "wonderful" stuff you can do with modern networking
comes at a PRICE. It's all deep, Deep, DEEP - endless hooks
for evil-doers. M$ is so fucked up that it makes things
even EASIER for the bastards - stick to Linux/Unix as much
as you can.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 6/14/23 4:23 AM, The Natural Philosopher wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on >>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because >>>>>>> "safely" probably means that you don't want plain-text passwords >>>>>>> and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think >>>>>> I'm missing your point.

Yeah, any secure passwordless authentication system has the same
issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A
over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're
likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in
many aspects. Anyone with access to the LAN can see anything inside
the telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

   Mostly correct ... but you can still poll addresses
   looking for Telnet activity and then go from there.
   Switches don't/can't hide EVERYTHING ... there are
   numerous utilities that can still see a LOT going
   on in the local network. Try WireShark ...

No, you cant.

Did it last Thursday.

Switches do NOT hide all activity not directed
to your specific PCs IP.

They do REDUCE it a bit though. I kept a traditional
HUB I can put right after the router to monitor ALL
activity, just in case. Has a big label saying "NEVER
THROW THIS AWAY" :-)

BTDTGTTS

You can only see broadcast traffic on other segments.

But most places only have ONE segment ...

That might tell you a connection is being made, but once established MAC addresses are used to limit propagation to only the segment where the
target machine resides. Thats what a switch *does*.

   Telnet is of the same generation as POP - a kinder
   and gentler era where 'security'/encryption was
   not considered a big deal (we're all pals here,
   right ?). It's BEST not to use Telnet - indeed
   block its port in your router.

   Did have some fun lately though using Telnet to
   log into a mail server, you can select an alt port.
   Had to type weird stuff into prompts - but you COULD
   connect/receive/send.

Been doing that for years.

Not exactly "user friendly" though ...

And I still use POP to download my mail from my internet based server.
Old school. Only this networks IP address can do that.

Try POP ... or even IMAP ... with M$ mail servers.
Last week they CUT THAT OFF. Only OAuth2 connections
still work. Thunderbird can do it, but not everything.
Mostly they want to force you to their online version
of Outlook ... my guess is that it spies on all your
other activity ....... more $$$ for M$

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 15/06/2023 22:01, Spiros Bousbouras wrote:

On Wed, 14 Jun 2023 16:18:51 -0000 (UTC)
Rich <rich@example.invalid> wrote:

Note that "IP address of 10.0.0.X" is not 100% identical to "only
connected to router by cable" as there is no mechanism at the
networking layer for IP packets to know they are traversing cables
"only connected to the router". So doing your actual ask is
impossible. But denying any source IP other than the IP range used for
the local LAN is the closest possibility.

Let me ask something for my general education. The router can know whether some packets came from the part of its hardware which deals with WiFi as opposed to ethernet ports. So would it be possible to have a router based firewall which has different restrictions for WiFi accesses vs ethernet accesses ?

Oh yes. In fact you can set up as many networks on your router as you
want (up to some arbitrary limit) and give them all different network
addresses - you could have, for example, a/the wifi network on a
different set of IP addresses and then the router would have to route
between that and your wired network, and you could then set up the
router as a firewall between the two.

At least on my router you can. Its not cheap, but it damn well works.

I did set up a separate guest wifi network that couldn't access my LAN
at all - just the Internet.

But eventually concluded that I didn't have any real assholes as friends anyway. And the one that might have been, died.

--
“It is dangerous to be right in matters on which the established
authorities are wrong.”

― Voltaire, The Age of Louis XIV

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 16/06/2023 06:27, 24D.245 wrote:

On 6/14/23 4:23 AM, The Natural Philosopher wrote:

On 14/06/2023 05:01, 24D.245 wrote:

On 6/13/23 6:36 PM, The Natural Philosopher wrote:

On 13/06/2023 21:25, Carlos E.R. wrote:

On 2023-06-13 01:11, Computer Nerd Kev wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

Thanks for all the replies everyone. That's a lot to read on.

...

3. Can it be done safely without having to enter a password on >>>>>>>>> B when I want to connect to A ?

If you care about this then perhaps Telnet isn't for you because >>>>>>>> "safely" probably means that you don't want plain-text passwords >>>>>>>> and anything else will mean raising version incompatibility
problems with authentication systems such as are used by SSH.

Ideally , I don't want passwords at all , as I've said. But I think >>>>>>> I'm missing your point.

Yeah, any secure passwordless authentication system has the same
issues as SSH. Telnet itself only supports not having any
authentication, or passwords. If only computer B can connect to A
over Telnet due to firewall settings then going without
authentication should be OK, but it's not necessarily "safe"
against all attacks. Probably safe against any attacks that you're >>>>>> likely to experience in many cases though.

Telnet is an ancient protocol, and is considered to be unsafe in
many aspects. Anyone with access to the LAN can see anything inside
the telnet session.

Incorrect. Not since switches replaced hubs.
Apart from WiFi

   Mostly correct ... but you can still poll addresses
   looking for Telnet activity and then go from there.
   Switches don't/can't hide EVERYTHING ... there are
   numerous utilities that can still see a LOT going
   on in the local network. Try WireShark ...

No, you cant.

  Did it last Thursday.

  Switches do NOT hide all activity not directed
  to your specific PCs IP.

  They do REDUCE it a bit though. I kept a traditional
  HUB I can put right after the router to monitor ALL
  activity, just in case. Has a big label saying "NEVER
  THROW THIS AWAY" :-)

BTDTGTTS

You can only see broadcast traffic on other segments.

  But most places only have ONE segment ...

most places only have ONE segment per ethernet connected device.

There fixed that for yuu

   Did have some fun lately though using Telnet to
   log into a mail server, you can select an alt port.
   Had to type weird stuff into prompts - but you COULD
   connect/receive/send.

Been doing that for years.

  Not exactly "user friendly" though ...

For test purposes its ideal.

And I still use POP to download my mail from my internet based server.
Old school. Only this networks IP address can do that.

  Try POP ... or even IMAP ... with M$ mail servers.
  Last week they CUT THAT OFF. Only OAuth2 connections
  still work. Thunderbird can do it, but not everything.
  Mostly they want to force you to their online version
  of Outlook ... my guess is that it spies on all your
  other activity ....... more $$$ for M$

I have never ever had a microsoft email account and only have a gmail
one because its apparently necessary for android and youtube.

I download from gmail using POP with authentication.
There is no way I want ANY mail sitting on some public server, even the
ones I run myself

My mail, apart from that, runs on my own server on a VPS. I have 4 or 5
domains and about 20 email addresses. All handled seamlessly by thunderbird.

Telnetting into those mail servers was how I debugged them on setting
them up.

--
Canada is all right really, though not for the whole weekend.

"Saki"

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 16/06/2023 06:33, 24D.245 wrote:

OK .. face the awful awful Truth - THERE IS NO REAL
  "Protection". There are a zillion ways to tap your
  traffic, sneak into your boxes, trick your users. It's
  TOO MANY to cope with. Your best defense is obscurity,
  being beneath notice, having nothing of value.

Oh dear, the ArtStudent™ mind with its Boolean Logic Only mentailitry
rears its ugly head...

Its not a matter of whether something *is* secure, its a matter of
*how* secure it is, but to assess that require Intelligence and Thinking
- qualities absolutely abhorrent to the modern social mind , as they
smell strongly of elitism, and probably Imperialism if not even Racism.

Today, you must be a good liitle child and believe in and do exactly
what you are told, or you will be cancelled.

If you want to be *practically* secure as against *theoretically*secure
you need to do a cost benefit analysis on what your data is worth and
how much in any coin you consider important, it will cost you to protect
it, and, indeed, work out whether that protections is worthwhile at all.

If you regularly leave the windows open, locking the door is a
relatively pointless waste of money on locks.

So you need to examine and understand all attack vectors, and realise
that an attacker who wants to target you *personally* is unlikely to
stop at throwing random packets at your router when he can burgle your
house and steal your computers, especially if he has government authority.

And if its random RATWARE, the most likely vulnerability will be you,
clicking on a URL and typing 'yes' when you should have typed 'no' on a
Windows based machine.

(I had a wonderful 20 minutes following instructions from a gentleman
from the subcontinent, on the phone, who had called me about the
'problem with my internet'. Eventually he said 'and what does it say
there?' and I truthfully said 'Linux Mint'. 'Oh, Linux doesn't have the problem' he said, and hung up.
Sadly I don't have the time to do that every time

  All the "wonderful" stuff you can do with modern networking
  comes at a PRICE. It's all deep, Deep, DEEP - endless hooks
  for evil-doers. M$ is so fucked up that it makes things
  even EASIER for the bastards - stick to Linux/Unix as much
  as you can.

Well yes, the last malware I 'caught' was on Windows 95 IIRC.

Since going 'all linux' I have not had any problems.
The random scripts that attack my public facing servers are all so
moronic, tgat I cant even be bothered to try and protect against them

I mean, if you have the nous to set up a public facing server on the
internet, are you *really* going to allow root logins via ssh with the
password 'gandalf'?




--
Climate Change: Socialism wearing a lab coat.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-15 23:01, Spiros Bousbouras wrote:

On Wed, 14 Jun 2023 16:18:51 -0000 (UTC)
Rich <rich@example.invalid> wrote:

Note that "IP address of 10.0.0.X" is not 100% identical to "only
connected to router by cable" as there is no mechanism at the
networking layer for IP packets to know they are traversing cables
"only connected to the router". So doing your actual ask is
impossible. But denying any source IP other than the IP range used for
the local LAN is the closest possibility.

Let me ask something for my general education. The router can know whether some packets came from the part of its hardware which deals with WiFi as opposed to ethernet ports. So would it be possible to have a router based firewall which has different restrictions for WiFi accesses vs ethernet accesses ?

Yes, certainly.

However, what we know as "home router", the typical router you get from
your ISP, don't have those capabilities.



--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-16 07:27, 24D.245 wrote:

On 6/14/23 4:23 AM, The Natural Philosopher wrote:

On 14/06/2023 05:01, 24D.245 wrote:

...

And I still use POP to download my mail from my internet based server.
Old school. Only this networks IP address can do that.

  Try POP ... or even IMAP ... with M$ mail servers.
  Last week they CUT THAT OFF. Only OAuth2 connections
  still work. Thunderbird can do it, but not everything.
  Mostly they want to force you to their online version
  of Outlook ... my guess is that it spies on all your
  other activity ....... more $$$ for M$

OAuth2 is only the authentication part. The server part can be whatever,
like IMAP, or Microsoft own protocols.


For instance, with gmail you can use POP3 with OAuth2.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-06-15 21:53, Spiros Bousbouras wrote:

On Wed, 14 Jun 2023 20:04:58 +0100
The Natural Philosopher <tnp@invalid.invalid> wrote:

On 14/06/2023 17:31, Rich wrote:

If the router your ISP supplies does not give you a CLI interface
option, you are out of luck there with that desire.

...

Why you don't want to use the routers web interface is beyond me. their
CLI interfaces are out of the ark usually. I only use mine because there
is one piece of data I cant get out of it using snmp

In general , I prefer CLIs than <point and click>. For one thing , with a
CLI I can automatically record all the exchanges so that I will know in
the future what I did but with a <point and click> interface I would have
to keep notes ; something like ,

I chose menu ABC and from that submenu DEF and changed option 2 from
X to Y.

It's extra work and boring work to boot. Apart from that , my router not only seems to offer only a web interface but it requires javascript too for the login screen to function. I don't like complexity for the sake of complexity and obviously you don't need javascript to type a username and password. In addition , I normally do almost all my browsing using a text based browser. So instead I have to start a graphical browser just to inspect and possibly change some stupid router settings. I don't like to be made to jump through hoops and this whole thing very much makes me jump through hoops and I resent that.

But your router is listening on ssh. Haven't you tried it yet?

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

24D.245 wrote:

  Try POP ... or even IMAP ... with M$ mail servers.
  Last week they CUT THAT OFF. Only OAuth2 connections
  still work.

That's been the direction of travel for gmail, outlook, 365 over the
last couple of years, IME thunderbird handles oAuth2 just fine.

Thunderbird can do it, but not everything.
  Mostly they want to force you to their online version
  of Outlook ... my guess is that it spies on all your
  other activity ....... more $$$ for M$

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 16/06/2023 11:29, Andy Burns wrote:

24D.245 wrote:

   Try POP ... or even IMAP ... with M$ mail servers.
   Last week they CUT THAT OFF. Only OAuth2 connections
   still work.

That's been the direction of travel for gmail, outlook, 365 over the
last couple of years, IME thunderbird handles oAuth2 just fine.

   Thunderbird can do it, but not everything.
   Mostly they want to force you to their online version
   of Outlook ... my guess is that it spies on all your
   other activity ....... more $$$ for M$

Yes, by gmail grumbles if you use it at setup time.
--
“A leader is best When people barely know he exists. Of a good leader,
who talks little,When his work is done, his aim fulfilled,They will say,
“We did this ourselves.”

― Lao Tzu, Tao Te Ching

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 6/16/23 2:57 AM, The Natural Philosopher wrote:

On 16/06/2023 06:33, 24D.245 wrote:

OK .. face the awful awful Truth - THERE IS NO REAL
   "Protection". There are a zillion ways to tap your
   traffic, sneak into your boxes, trick your users. It's
   TOO MANY to cope with. Your best defense is obscurity,
   being beneath notice, having nothing of value.

Oh dear, the ArtStudent™ mind with its Boolean Logic Only mentailitry
rears its ugly head...

Sorry, was never good at 'art' :-)

And that was hardly boolean logic - just notice that
'security', esp computer security, is always a
dangerous illusion. There are shades of grey, and
a lot of factors which influence your color.

Its not a matter of whether  something *is* secure, its a matter of
*how* secure it is, but to assess that require Intelligence and Thinking
- qualities absolutely abhorrent to the modern social mind , as they
smell strongly of elitism, and probably Imperialism if not even Racism.

Today, you must be a good liitle child and believe in and do exactly
what you are told, or you will be cancelled.

News story yesterday - Amazon thought some guy said something
'racist' to a delivery guy and completely shut down his
Amazon-driven "smart"-home :-)

https://www.msn.com/en-us/news/technology/amazon-shuts-down-customer-s-smart-home-devices-after-delivery-driver-s-false-racism-claim/ar-AA1cBxsE

The STATE may have to give you (mostly) free speech, but
INDUSTRY is under no such obligation.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 17/06/2023 02:12, 24D.245 wrote:

On 6/16/23 2:57 AM, The Natural Philosopher wrote:

On 16/06/2023 06:33, 24D.245 wrote:

OK .. face the awful awful Truth - THERE IS NO REAL
   "Protection". There are a zillion ways to tap your
   traffic, sneak into your boxes, trick your users. It's
   TOO MANY to cope with. Your best defense is obscurity,
   being beneath notice, having nothing of value.

Oh dear, the ArtStudent™ mind with its Boolean Logic Only mentailitry
rears its ugly head...

  Sorry, was never good at 'art'  :-)

  And that was hardly boolean logic - just notice that
  'security', esp computer security, is always a
  dangerous illusion.

That is boolean logic.

'true' versus 'dangerous illusion'

Its not a matter of true, it's a matter of *how* true.

There are shades of grey, and

  a lot of factors which influence your color.

Exactly. so dont cover an entire spectrum with a single statement
'illusion'.

Its not a matter of whether  something *is* secure, its a matter of
*how* secure it is, but to assess that require Intelligence and
Thinking - qualities absolutely abhorrent to the modern social mind ,
as they smell strongly of elitism, and probably Imperialism if not
even Racism.

Today, you must be a good liitle child and believe in and do exactly
what you are told, or you will be cancelled.

    News story yesterday - Amazon thought some guy said something
  'racist' to a delivery guy and completely shut down his
  Amazon-driven "smart"-home  :-)

More fool him for having one.
The only cloud I use is *my* cloud.

https://www.msn.com/en-us/news/technology/amazon-shuts-down-customer-s-smart-home-devices-after-delivery-driver-s-false-racism-claim/ar-AA1cBxsE

  The STATE may have to give you (mostly) free speech, but
  INDUSTRY is under no such obligation.

The State is adept at circumventing it anyway.


--
"When a true genius appears in the world, you may know him by this sign,
that the dunces are all in confederacy against him."

Jonathan Swift.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Computer Nerd Kev <not@telling.you.invalid> wrote:

Spiros Bousbouras <spibou@gmail.com> wrote:

I have 2 Linux computers connected to the same router through
ethernet cables. Computer A runs Devuan , computer B an older
version of Debian. I want to connect from B to A and execute
shell commands on A. X11 forwarding would be a plus.

I assume that something SSH related is the right approach

Without knowing how old your old version of Debian is and how long
you intend to keep using it without upgrading, my recommendation
would be to not use SSH because either now or later it will be
unable to connect with the newer Devuan system because all the
supported authentication or encryption systems will be depreciated
in the newer software.

I had that problem recently connecting from Arch Linux to a 5 years old
LEDE router (BusyBox 1.25), which IIRC uses dropbear instead of OpenSSH.
It was quite hard to guess the right options to make the connection,
and the SSH documentation does not make it easy, but at the end I was
able to connect with

ssh -o"HostKeyAlgorithms=+ssh-rsa" \
root@192.168.1.1 "${@}"

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Javier <invalid@invalid.invalid> wrote:

I had that problem recently connecting from Arch Linux to a 5 years old
LEDE router (BusyBox 1.25), which IIRC uses dropbear instead of OpenSSH.
It was quite hard to guess the right options to make the connection,
and the SSH documentation does not make it easy, but at the end I was
able to connect with

ssh -o"HostKeyAlgorithms=+ssh-rsa" \
root@192.168.1.1 "${@}"

That's newer OpenSSH versions (8.2 onwards) requiring SHA-2 instead
of SHA-1 for RSA keys. I've had the same trouble the other way
'round with a non-OpenSSH client failing to connect to a recent
OpenSSH server (with an error implying a problem with my public
key, rather than with the hash algorithm). Apparantly it also won't
work by default with OpenSSH version prior to 7.2.

https://www.openssh.com/txt/release-8.2

--
__ __
#_ < |\| |< _#

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Computer Nerd Kev <not@telling.you.invalid> wrote:

I've had the same trouble the other way 'round with a non-OpenSSH
client failing to connect to a recent OpenSSH server

The other way round the problem is much worser, because one needs to
tinker with server config files, and restart the openssh server, with
the risk of breaking the server config and losing remote access to it.

In that case it is better to run a second instance of the server with
a different sshd_config file and a non-standard port.

(with an error implying a problem with my public key,
rather than with the hash algorithm)

I also found the error message quite unhelpful. The error reporting in
ssh should be improved.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 6/13/23 16:30, Carlos E.R. wrote:

And once there you can type "firefox &" and get firefox, or anything else.

Firefox always seems to know you are on a remote system and acts as it
sees fit.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)