bbs100 secure logon

bbs100 is a 'telnetable' BBS, which means you can logon to it by simply connecting to it via telnet. Telnet is well-known for its poor security; all transmitted data is sent in plain-text format, so eaves-droppers and/or packet sniffers can easily pick up your private conversations. To discourage them, you can setup an encrypted link between your local machine and the site running bbs100.

Regular users can setup an SSH tunnel, but this requires you to have a login on another machine, so that you can setup a tunnel between these two machines and use the other to hop on to the BBS. Note that the final part of the link will not be encrypted this way.
For more information on how to how to do this, I say, enter something like "ssh port forwarding howto pop imap" in your favourite Web search engine.

A nicer setup is that the BBS administrator allows users to connect to his (or her) machine using SSH, and connecting (locally) to the BBS from there.

Here is how to set up this kind of configuration.

The trick is to create a special user on the server, that has telnet as login shell, and let 'him' connect back to the BBS. As a consequence, you will not be able to see where a user connects from, but this also ensures the user's privacy.
To set this up, create a login on the server machine named 'bbs-user'. Give the bbs user an empty password. Put the following setting in /etc/sshd_config:

PermitEmptyPasswords yes
If your system uses PAM (Pluggable Authentication Modules), you may need to add the option nullok to the password line in either /etc/pam.conf or /etc/pam.d/sshd (depending on which platform you are on), so that it looks something like:
sshd   password   required     /lib/security/pam_unix.so shadow nullok use_authtok md5
or if you have /etc/pam.d/sshd:
password   required     /lib/security/pam_unix.so shadow nullok use_authtok md5

Now change the login shell of the bbs-user to telnet, in /etc/passwd:

bbs-user:x:501:501:bbs100 user:/:/usr/bin/telnet -E localhost 1234
Note the -E option, if you omit it, users will be able to log through your machine and possibly use it for malicious actions.

Now you can try 'ssh bbs-user@your.bbs100.site'. It should log you on without asking for an SSH password. Note that users always have to connect as user 'bbs-user'. Jose Nazario has donated a patch to OpenSSH-2.5.2 which sets the username to bbs-user by default -- letting you connect to the bbs100 in a slightly more comfortable way: 'ssh your.bbs100.site'. Mind that if you install this patched sshd, you will NOT be able to use regular ssh to login to your machine as a different user (that is, a user other than 'bbs-user'). As a solution to this, you can configure a 'normal' un-patched sshd on a different port number (say, 222) and use that one for regular ssh connects.

Some systems don't allow you to specify arguments behind the shell (telnet) in /etc/passwd. As a solution, you can use the bbs_shell program and place 'bbs_shell' as shell in the /etc/passwd entry for the bbs-user user.
Most systems don't just allow you to specify any program as login shell, usually you would enter its full pathname in the file /etc/shells, which lists the valid login shells of the system.

Credits go to Jose Nazario for the OpenSSH patch and to Myth of MatrixBBS for thinking up a way to have users connect to bbs100 in a secure way.
To prove it works, try 'ssh matrix@matrix.whacky.net'.

Downloads
Patch to OpenSSH-2.5.2
special BBS shell

The OpenSSH website is at www.openssh.org.

You may also want to read about redirecting bbs100 to the default telnet port.

Back to main page


If you really must, you can contact the author at walter at heiho dot net