differences between 2.0m.1 and 2.0m - January 19, 2020 ------------------------------------------------------ This is a huge change if one chooses to use it, and quite technical. I am wondering if I should have changed the 'major' to 2.0n, instead of sticking to the 'minor' 2.0m.1 ... initially I just wanted to take the passwords out of the ftpusers file, but then the momentum picked up the more I worked on the code, to the point where there is no more ftpusers files, it's gone ! Do NOT use IF ------------- If you are using MD5AUTHENTICATE in JNOS then this update is of no use. Unfortunately MD5AUTHENTICATE requires clear text passwords to work, and with this new release, that is no longer possible (read further down). I suppose we could consider a work around of sorts for this (later) ? This update breaks SMTP_VALIDATE_LOCAL_USERS - new function required This update breaks PPP - userlookup needs to be rewritten Overview -------- Traditionally, all BBS users have been defined in one 'ftpusers' file. Each user gets a one line entry containing their callsign, password, home folder, and BBS permissions, and passwords are all in clear text. With this version, the 'ftpusers' file is no more. Each entry in 'ftpusers' now exists as an individual configuration file for the particular user. All of the files can be found under a newly created 'users' JNOS subdirectory. There is a script provided to import your ftpusers file to this new format. Passwords are no longer clear text, but they're not encrypted either, instead they are now saved as hash:salt pairs, a one way process where one will never be able to get the clear text value - more in line with modern practices ! The naming convention of the files under 'users' subdirectory is : callsign.X.dat where X = 0 for JNOS BBS Users, and X = 1 for Winlink (discussed later) These files contain a one line entry with multiple columns of ascii data, with a ':' character to separate (delimiter) the columns from each other. The Internal format for JNOS BBS Users file (X = 0) is as follows : column description ------ ------------------------- 1 always '0' to match the file type 2 callsign or login user 3 32 character password hash 4 8 character random password salt 5 user directory 6 user permissions Note columns 2, 5, and 6 are 'the same as from the ftpusers file' ... You can actually edit the file with a text editor if you really want to, but really don't do it, unless you need to alter the home folder or permissions. There is a special case file where X = 1 which stores the Winlink password for those of you who have forwarding setup to a Winlink CMS server (wl2k). The winlink CMS password will have to continue to be encrypted, because the logistics involved in changing all of that is simply horrendous and will just not happen - there was a discussion and I can appreciate it. Now using openssl EVP encryption in place of the deprecated libcrypt, so there is no need to mangle the password anymore before any encryption. I am actually using the example code from the openssl wiki, with copyright notices in place. It may seem like overkill, but it was a good exercise in trying to keep up with so called modern security practices ... Internal format for the sole Winlink User file (X = 1) is as follows : column description ------ ------------------------- 1 always '1' to match the file type 2 your winlink CMS callsign 3 variable length encrypted password For those already forwarding with a Winlink CMS server, this file already exists, but in a format not compatible with this release, meaning you will once again have to regenerate this file (see further below) - sorry ... The User / Password Management Utility -------------------------------------- The 'users' files are managed by a command line utility 'jnospwmgr', ie : root@slackware:/jnos/rte# ./jnospwmgr JNOS 2.0 password manager V2 - Jan 2020, by Maiko Langelaar (VE4KLM) Usage: j2pwmgr { -a | -d } [-w] [-p ] [-r ] [-# ] Arguments: -a create password entry for -d delete password entry for Options: -w mark as a Winlink user; the default is a JNOS user -p instead of prompting for password, set via the command line -r root directory; the default is /jnos/public -# permissions; the default is 0x0407f Some of you already know of this command, it was originally introduced to configure the Winlink CMS password for the [wl2k] forwarding area. It has been revamped to include management of your JNOS BBS users. Being this is a command line utility, it can be easily incorporated into any scripts you write, and is actually used by the script made available to import your entire ftpusers files into the new format. How to Manage Users and Passwords @ SYSOP level ----------------------------------------------- create a new JNOS BBS user (prompt for password) : ./jnospwmgr -a ve4pkt create a new JNOS BBS user (no prompt, specify password on command line) : ./jnospwmgr -a ve4pkt -p nAv0Wu2mzj delete an existing JNOS BBS user : ./jnospwmgr -d ve4pkt create your Winlink CMS user for your [wl2k] forwarding area : ./jnospwmgr -a ve4klm -w What is Missing ? ----------------- Yes, some things are missing, but they're not show stoppers. I just want to get this stuff released, since the base code has been in place and running on my development system since the beginning of December, so it's time ... There is no provision to update a users password, so for now just create them again, even if they exist already, it will just overwrite the file. There is no provision to list users - 'ls /jnos/users' works for now. Yes, you can edit the user files to alter the root directory and/or user permissions, just be careful you don't mess up the hash and salt values. The Universal User ------------------ Recall the last entry in ftpusers is usually something like this : univperm * /jnos/public 8 This is the universal login with limited privileges, so if you want to continue to allow this, you need to create a 'univperm' user : ./jnospwmgr -a univperm -p nopassword -# 8 The 'nopassword' indicates the '*' - ignore any password entered, and just give the user access. You can actually specify a password which you expect universal logins to adhere to if you really really want. The Default Name User --------------------- JNOS has some built-in default names used for permission checks, such as 'tcpperm', 'ax25perm', 'nrperm', and others. I have never used them myself, but likely there are people who do use them, so they should be supported. They're part of the original ftpusers functionality anyway. Use the same procedure as for 'univperm' above to deal with these. Request for Password from JNOS BBS prompt ----------------------------------------- This one came about because I have never liked the idea of a user giving me a password when I'm creating a new account for them. I would rather they put the password in themselves. This is experimental, maybe it won't survive ? 19Jan2020, Not compiled by default based on some feedback received already, so if you want to have this feature you need to '#define BBS_PASSWD_REQ'. If you connect to a JNOS BBS, you can now issue the PA command, which will prompt for a password, allowing you to enter it in private, without a SYSOP needing to do it for you. This creates a file under the 'users' directory, but puts an additional '.req' on the end of it - so it will not be useable until such time the SYSOP renames the file to the proper '.dat' extension. The only 'irony', maybe a bad choice of word, to all of this is ; in order for a user to request a password, they will most likely be doing it over a communications medium in clear text, a given if done over real packet radio connections, but not so bad on a none RF medium, unless someone is running a sniffer or something. Just be aware of these types of situations, if you are even concerned about that. Just saying ... The only other option is to trust your SYSOP when they use 'jnospwmgr'. I am pretty sure people could get creative and make a web based password request site, which could call 'jnospwmgr' - a slight hint perhaps :] Other Considerations -------------------- Users having the SAME passwords will have completely different hash:salt pairs, so you will have no idea if users have the same password. That is by design. You will not be able to transfer the Winlink password file to any other system with it's own compile, and expect it to work. When you compile the new code for the first time, I have made it so that the 'master keys' are randomly generated per compile. Why did I bother ? It interested me ... If you do not like that, make sure you preserve the generated source : root@slackware:/jnos/src# cat j2pwmgrV2/j2pwmgrkeys.c unsigned char *key = (unsigned char *)"b1824...552e......2b8"; unsigned char *iv = (unsigned char *)"78a...783...8f5fe1"; and move it to the other machines before you compile on them. How To Upgrade Your JNOS Installation ------------------------------------- IF you choose to go the 'no more ftpusers' route, add this to config.h #define GET_PASSWORD_FROM_J2PWMGR Now run 'make clean', then './configure', then 'make'. Move the follow files to your JNOS root directory, ie : /jnos jnos jnospwmgr jnosinstaller importFTPUSERSpasswords.sh Then in the JNOS root directory run the script similar to this : cd /jnos sh importFTPUSERSpasswords.sh < ftpusers PS : please consider using 'stronger passwords' now :) For those using [wl2k] forwarding to a CMS, don't forget to recreate your winlink user, since the existing user file will not be compatible with this latest release, in other words (example using my call) : ./jnospwmgr -a ve4klm -w Then just run jnos as you usually would ... ----- Copyright (C) 2004-2020 by Maiko Langelaar / VE4KLM