DBO595

HB1PMS > JNOS     13.03.20 16:41l 430 Lines 15251 Bytes #999 (0) @ WW
BID : 2536HB1PMS
Read: GAST
Subj: Jnos update 2.0n (beta)
Path: DBO595<DBX320<FRB024<BBS645<NL3TD<NL3PRC<GY1BBS<HB1BBS
Sent: 200312/2354Z 8909@HB1BBS.ZL.NLD.EU BPQ6.0.19

Van: HB1PMS@HB1BBS.ZL.NLD.EU

 differences between 2.0n.beta and 2.0m - February 28, 2020
 ----------------------------------------------------------

 What started off as 2.0m.1 is now 2.0n.beta

 This is a radical change to the JNOS user password authentication, which 
instantly
 warrants a change to the version MAJOR - it most certainly is not a MINOR 
change.

 This is something I have been wanting to do for a long time. It is a bit 
technical
 and might be a handful for some. For that I apologize. Please contact me if 
you have
 any concerns or are struggling with it - BUT (respectfully asking) not 
before you've
 given it your all - I just don't have the time anymore, too many things 
going on.

 Highlights of this update are :

    No more ftpusers file, it's gone

    The BBS user passwords are now hashed (not encrypted), no more cleartext
     (however if MD5AUTHENTICATE is defined, we have no choice but to 
include
       the encrypted passwords as 'extra information' to the new system)
 
    The Winlink CMS password is properly encrypted again

    The AXHEARD list can now be saved to file or loaded from file, there are
    some notes on this towards the end of this section. Note, this required
    some restructuring of the console 'ax heard' commands, it made sense.

    I have enhanced the information shown by the 'mbox sid' console command

 Documentation -> 
"https://www.langelaar.net/jnos2/documents/jnos.2.0n.password.management.txt
"
 
 This update is only available as a patch, and must only be applied to the 
official 2.0m version.

 WARNING : do NOT use this on any earlier versions !!!

 Just change directory to your JNOS source and do something like this :

   wget 
"https://www.langelaar.net/jnos2/downloads/linux/2.0n.beta.update.tar.gz" --
no-check-certificate

 Now run these commands below :

   tar xvzf 2.0n.beta.update.tar.gz

   edit your config.h (or config.h.default if you don't have one yet), and 
make sure this entry exists :

     #define GET_PASSWORD_FROM_J2PWMGR

   make clean
   ./configure
   make

   NOTE : please MAKE SURE you create a new 'users' subdirectory in your 
JNOS root directory
           (a small oversite on my part, I will correct it later)

 The configure script now warns you if you have INP2011 defined - recommend 
you #undef INP2011
  (old code, my attempt @ supporting INP3 protocol long ago, some people are 
reporting JNOS crashing)

 The makefile now enforces the compiler option '-fsigned-char' so if you are 
running a PI or
 any ARM based system, you should be fine as far as that issue is concerned.

 I have tested this with gcc 6.3.1 (devtoolset-6), it compiles, the link 
will fail, BUT
 the solution is simple, edit your makefile to make sure 'LCURSES = -
lncurses -ltinfo'

 I have not tested convers, and done limited testing on ftp user logins.

 DO NOT use this update IF any of the following apply to your setup :

  1) This update breaks SMTP_VALIDATE_LOCAL_USERS - new function needs to be 
written

  2) This update breaks PPP - userlookup needs to be rewritten

 Save and Load ax25 Heard List

 The ax25 heard list can now be saved to a file or loaded (restored) from a 
file.

 Add '#define BACKUP_AXHEARD' to your config.h for this feature.

 Decided to also revamp the 'ax heard' command at the JNOS console, since 
there are
 now several commands available, all of which really should be categorized 
as being
 subcommands of 'ax heard' - so with this update, the new syntax is as 
follows :

     Usage : ax heard < show | dest > [<iface>]
             ax heard < save | load >

 The 'dest' and 'hearddest' commands are gone, absorbed by the above syntax.

 The heard data is kept in a new 'AxHeardFile' in the JNOS root directory.

 There might still be some issues with improper time stamps, please let me 
know.


 differences between 2.0m and 2.0k.3B - November 27, 2019
 --------------------------------------------------------

 NOTE : version bumped up to 2.0m (skipped the L since in lowercase it looks 
too
        much like the number one or the letter 'i'), call me mercurial (?)

 IMPORTANT : this started off as Beta release end of September, with 
additional mods
             added towards the end of October, and was made available 
through a new
             rsync module, 'jnos2NR' during that time. As of November 27, 
this code
             is now an official release, the Beta designation has been 
dropped, so
             please revert back to the standard rsync module 'jnos2' for 
download.

     cd <empty directory> ; rsync -av www.langelaar.net::jnos2 .

 WARNING : do NOT patch this version with ANY previous release updates !
            (in other words do not use tun.c fix, tnlink patch, whatever)


1) Some changes to the way JNOS is compiled - a new './configure' script

  After you download the release, if you try to run make, it will tell you 
to
  run './configure' first - this is new to version 2.0m and onwards. The 
script
  checks to see if the necessary linux development packages are installed - 
if
  they are missing, it will tell you that, and you won't be able to 
continue.

  The 'make' will only work if './configure' successfully makes it to the 
end.

  At present, the script only checks for ncurses, and open-ssl (only if the
  winlink secure login is defined in config.h) -  yes, it scans your 
config.h
  file. Also, if config.h does not exist, the script now puts in the 
default,
  not the makefile anymore as in past versions.

  You can run './configure' as many times as you want, but I suggest if you
  make changes to your existing config.h or whatever, then do a 'make clean'
  first, then run the './configure' script. You will have to anyways, since
  the 'make clean' forces you to run the script again.

  NOTE : the configure script is matched to the makefile, you must update
         both files or else './configure' will complain about it and stop.


2) The 'tun.c' compile issues are resolved, no more patching needed.

   Moved a couple of structure definitions out of the ax25.h and tcp.h
   header files, creating two new header files - ifax25.h and iftcp.h

   There is no longer any need for the tun_sp2l.c patch which I first put
   out back in June of 2017, for those trying to compile JNOS 2.0k.1 on a
   debian-stretch-DI-rc4-i386 distro at the time, the idea was to replace
   the existing tun.c with my patch version - was a kludge fix at best.


3) JNOS should (probably) be run as a non-root user, here is how to do it :

  This change was actually provided to me by KB8OJH (Ethan Blanton) back in
  January of 2018, and I have been running it on my development system, it's
  just that I completely forgot to put it into my rsync areas, till now. My
  profuse apologies for this 'terrible' oversight. Please visit his website
  at https://kb8ojh.net, there is some cool information on there.

  Very simple to implement, the procedure is as follows :

  NOTE : these are examples based on my system, most likely you will need
         to change these, or probably you just should change them to suite
         your JNOS runtime environment. Again - these are just examples.

  a) create a new JNOS user and group

       jnos:x:1001:1001::/home/jnos:/bin/bash
       jnos:x:1001:

  b) change ownership of the entire JNOS runtime area

       chown -R jnos:jnos /jnos/rte

  c) as root user, configure a tunN interface, and just leave it there 
forever.

       ip tuntap add mode tun dev tun4

       ifconfig tun4 192.168.200.200 pointopoint 192.168.200.201 mtu 1500 up

     WARNING : make sure you pick a number N that does not conflict with any
               other tun interfaces that might be running - OpenVPN comes to
               mind for example, some VM subsystems might use tun as well ?

   d) modify autoexec.nos, add an extra parameter to the 'attach tun' entry,
      and make sure to comment out the point to point ifconfig.

      So what was previously run as root, for example, below :

       attach tun tun0 1500 0

       shell ifconfig tun0 192.168.200.200 pointopoint 192.168.200.201 mtu 
1500 up

      will now just become a one line entry, below :

       attach tun tun0 1500 0 tun4


4) The '#define B2F' is now permanent in config.h - do NOT #undef it

   For now I have decided to make #define B2F a permanent define, which 
basically
   relegates the '#ifdef B2F' found all over the code to identifying the 
areas of
   code specific to B2F operation. If you #undef B2F, you will actually 
break the
   checksum processing in the B1F protocol, so it is best to leave it in 
place.

   Thanks to N6MEF (Michael Fox) for accidently discovering the B1F issue :)

   I might even remove the B2F definition in a future release, it does not 
hurt to
   leave this code in place, it's pretty well established by now, so this 
minimizes
   the risk of messing up any of the existing forwarding code.

   Which brings us to the next point below ...


5) Introducing the new '#define WINLINK_SECURE_LOGIN' in config.h

   The only reason the openssl developmenet package is required when 
compiling JNOS
   is because we need the md5 hash routines to support the 'Winlink Secure 
Login'.

   For those who want to pull mail off the CMS servers, you need to have 
this
   defined, or else the CMS servers will refuse to let you go any further. 
Yes,
   you can actually still 'kick wl2k' - search for December 15, 2017 further
   down in this file on how to setup for CMS forwarding - but it will fail.

   Previously '#define B2F' was used to encase the Winlink Secure Login 
code.
    (but now that it's permanent, we have this new define in place)


6) Bit of a surprise, recent versions of linux are no longer supporting the 
old
   setkey () and encryp () functions, which has presented me with the 
problem of
   not being able to encrypt my JNOS 2.0 password management database. 
Passwords
   are still mangled, that's not the issue, but for now I've had to comment 
out
   the part which encrypts the mangled values - don't want a 'rushed 
solution'.

   Looking for a replacement - basically libcrypt (-lcrypt) is no more ...

   IMPORTANT (if you forward with a Winlink CMS) :

    It just means you will have to wipe the /jnos/users directory and run
    the j2pwmgr utility again to recreate the Winlink Secure Login passwd
    information. Unfortunately the files in the directory from before are
    not going to be compatible with this newest version, sorry for that.


7) Support for RMS call (already available in previous release), BUT ...

   The only thing to note is that there is no more 'tnlink' subdirectory,
   the source is now part of the main release. Do NOT use the patch from
   previous version 2.0k.3B - do not use any patch on the new 2.0m !

   If you wish to support Packet Winlink users on your own JNOS, now you can 
:)

   Originally the define was going to be '#define RMSCALL', but I have 
decided
   to instead use '#define TNCALL' since the feature can be used with ANY 
telnet
   service for that matter, even another BBS (how I tested original 
prototype).

   Please check the release notes for 2.0k.3B (further down) on how to use 
this.


 8) New way to configure White Page (WP) processing, read carefully please

   The rewrite file is very important and gives the ultimate flexibility in 
defining
   what your specific JNOS system should process as far as White Page (WP) 
updates.

   Here is the portion of my rewrite file that I am currently testing with :

     #
     wp@ww                           whitepages
     wp@eu                           whitepages
     wp@ve4klm                       whitepages
     wp@ve4klm.#wpg.mb.can.noam      whitepages
     #
     *@ve4klm.#wpg.mb.can.noam ve4klm
     #

     Files : smtpserv.c, smtpcli.c, wpages.c

   Detailed Documentation for JNOS 2.0 white pages can be found here :

     https://www.langelaar.net/jnos2/archive/documents/practical/wpages


 9) A fix to wildmat.c, added on October 22, thanks to VE3CGR (Ron), who 
reported
    this long ago, any time he ran the expire command, JNOS would crash. 
Regarding
    his configuration, he uses NNTP services and his expire.dat is loaded 
with tons
    of NNTP group names, some with a '?' character as part of the name, 
triggering
    the crash.

    It's a simple fix, but quite honestly, any of the wildcard stuff turns 
my brain
    to jello. I still don't understand the changes made in 2014 for N6MEF 
(Michael),
    but I have been told it's still in use, and working for them - so that's 
good.


 10) Now checking for missing BID on ALL incoming S proposals - not just SB, 
but
     also SP, which folks mistakenly use sometimes when sending bulletins. A 
fix
     to mboxmail.c was provided by N1URO (Brian Rogers), added on October 
16.


 11) Fixed several potential string buffer overflows as reported by the 
compiler.


 12) Investigating removal of passwords from ftpusers and incorporating them 
into
     the same JNOS 2.0 Password Management Database as currently used for 
saving
     the Winlink password. At the same time, I am removing the encryption of 
any
     passwords and replacing them with hash:salt information instead, as per 
the
     recommendations of several high profile security institutions, meeting 
the
     need that nobody, not even the administrator, will be able to determine 
a
     users password (because HASH values only go in one direction).

     One could even consider multiple iterations, one could include the CPU 
id
     of the physical computer or some other identifier unique to the JNOS 
host
     setup, locking the password hashes to the specific server JNOS runs on.

     As much as I want to entertain the idea of using HMAC-SHA-256, PBKDF2, 
or
     whatever the flavour of the year, the code can get complex, so for a 
first
     time prototype, MD5 is fine - it's JNOS, not a financial institution :|


 13) Investigating the use of multiple REWRITE_TO (in rewrite file) for 
redundant
     message passing, in case a recipient handling host is down and we 
simply must
     get it passed some other way ? For example, my rewrite could be :

      *.usa.noam aa6hf#RDN#n1uro

     and have #RDN# processed by the smtp client and server within JNOS ?
      (nothing concrete, just a very intriguing idea at this time

73 Henk.

======================================================================
  _    _ ____  __ ____  ____   _____ 
 | |  | |  _ \/_ |  _ \|  _ \ / ____|  SYS: Henk (hb1nos@hb1bbs.com)
 | |__| | |_) || | |_) | |_) | (___    QTH: Ouwerkerk - JO11XO
 |  __  |  _ < | |  _ <|  _ < \___ \   BBS: HB1BBS.ZLD.NLD.EU
 | |  | | |_) || | |_) | |_) |____) |  QRV: 27.235 MHz (FM 1200bps)
 |_|  |_|____/ |_|____/|____/|_____/   WEB: www.hb1bbs.com

======================================================================

** Host of BPQ Netrom/Node NLDHUB::NL9HUB 85.214.163.10 UDP 93  

======================================================================
** This message is generated with Sally 7.2.033
----------------------------------------------------------------------
** Timed vrijdag 13 maart 2020  00:53 West-Europa (standaardtijd)
** BBS HB1PMS@HB1BBS.ZL.NLD.EU





Lese vorherige Mail | Lese naechste Mail