Re: [9fans] Re: NAT'ing a drawterm connection

Re: [9fans] Re: NAT'ing a drawterm connection

[Skip Tavakkolian]

> | several people, including me, have made fixes to drawterm which didn't
> | appear on the distribution, so i gather nobody really cares about it there.
>
> If someone is willing to act as maintainer, so there is at least one
> stable version, that should be ok even it it isn't in the official dist.

Ideally, the person who maintains it should be the visionary behind the original
work.

I'd be glad to host the modified versions.

Re: [9fans] Re: NAT'ing a drawterm connection

[matt]

Bruce Ellis wrote:

>rather than 'strings' try an awk script that grabs the fid from the Ropen
>that matched the Topen of "cons" and then dumps the payload of Rreads
>of that fid.
>

Thanks for the tip. I think I've seen enough to know it's not encrypted.

Re: [9fans] Re: NAT'ing a drawterm connection

[Bruce Ellis]

rather than 'strings' try an awk script that grabs the fid from the Ropen
that matched the Topen of "cons" and then dumps the payload of Rreads
of that fid.

> I just did a wee test myself using tcpdump and I can see plain text in
> my drawterm packets
>
> but is is a confusing result
>
> running strings over the captured packets isnt enough to yield what you
> typed

Re: [9fans] Re: NAT'ing a drawterm connection

[matt]

Jim Choate wrote:

>Go pick a fight with somebody else.
>
>
>
I don't want a fight, I want to know the answer

I just did a wee test myself using tcpdump and I can see plain text in
my drawterm packets

but is is a confusing result

running strings over the captured packets isnt enough to yield what you
typed

but I did see this :

srv: /srv/juice already ex

which is an error message I get from trying to re-srv my u9fs on login
through my profile

so my uneducated conclusion is that it is obfuscated rather than plain

Russ, your stetson is in the post

Re: [9fans] Re: NAT'ing a drawterm connection

[Jim Choate]

On Mon, 25 Aug 2003, Scott Schwartz wrote:

> | several people, including me, have made fixes to drawterm which didn't
> | appear on the distribution, so i gather nobody really cares about it there.
>
> If someone is willing to act as maintainer, so there is at least one
> stable version, that should be ok even it it isn't in the official dist.

The Open Forge or SSZ nodes of H18 will mirror it if that is helpfull.

 -- --
      ravage@ssz.com                            jchoate@open-forge.com
      www.ssz.com                               www.open-forge.com

Re: [9fans] Re: NAT'ing a drawterm connection

[Jim Choate]

Go pick a fight with somebody else.


 -- --
      ravage@ssz.com                            jchoate@open-forge.com
      www.ssz.com                               www.open-forge.com


On Mon, 25 Aug 2003, matt wrote:

> >
> >
> >>a simple sniff can copy your key strokes ...
> >>the auth is secure but the connection is cleartext.  type away.
> >>
>
> Jim wrote :
>
> >Yes, that is absolutely true. And we are well aware of it (sniffers are a
> >regular tool for us, snoopy needs work!)
> >
>
> Russ wrote :
>
>  > No, the connection is SSL encrypted using the key established by the
> auth.
>
>
>
> This leaves me puzzled. Jim says it is cleartext and that H18 used
> snoopy to verify their claims.
>
> Does that mean that there is a faulty version of drawterm going around
> or is someone talking out of their 10 gallon hat?
>
> m
>

Re: [9fans] Re: NAT'ing a drawterm connection

[matt]

>
>
>>a simple sniff can copy your key strokes ...
>>the auth is secure but the connection is cleartext.  type away.
>>

Jim wrote :

>Yes, that is absolutely true. And we are well aware of it (sniffers are a
>regular tool for us, snoopy needs work!)
>

Russ wrote :

 > No, the connection is SSL encrypted using the key established by the
auth.



This leaves me puzzled. Jim says it is cleartext and that H18 used
snoopy to verify their claims.

Does that mean that there is a faulty version of drawterm going around
or is someone talking out of their 10 gallon hat?

m

Re: [9fans] Re: NAT'ing a drawterm connection

[andrey mirtchovski]

On Mon, 25 Aug 2003, Scott Schwartz wrote:

> | several people, including me, have made fixes to drawterm which didn't
> | appear on the distribution, so i gather nobody really cares about it there.
>
> If someone is willing to act as maintainer, so there is at least one
> stable version, that should be ok even it it isn't in the official dist.

i have the versions compiled with my modifications at:

	http://pages.cpsc.ucalgary.ca/~mirtchov/p9/

there aren't any significant modifications -- just compiled the latest
available source for linux/bsd with the proper TCP options...
the windows version is old, but empirically verified to work :)

these may be updated at any time, since there are a few things i want to do
with drawterm -- fix a memory leak that i'm rarely able to reproduce, and
experiment with compressing the connection, to see if it won't speed
graphics slightly...

updating to 9p2000 is on the table, but knowing myself that won't happen
anytime soon, so no need to mention it (oops :)

andrey

Re: [9fans] Re: NAT'ing a drawterm connection

[Scott Schwartz]

| several people, including me, have made fixes to drawterm which didn't
| appear on the distribution, so i gather nobody really cares about it there.

If someone is willing to act as maintainer, so there is at least one
stable version, that should be ok even it it isn't in the official dist.

Re: [9fans] Re: NAT'ing a drawterm connection

[andrey mirtchovski]

On Mon, 25 Aug 2003, Jim Choate wrote:

> Why isn't it already there?
>
> It'd be easier to ask Bell Labs to update their distro to include it out
> of the box.
>
> To ask individuals to update in a piecemeal way is not very professionsl.
> Stop asking the end user to do the developer and distributors job.
>

as previously stated on this list, drawterm is unsupported by bell labs:

http://groups.google.com/groups?selm=3f8734f2e156e644c60414e47b867c85%40plan9.bell-labs.com&oe=utf-8&output=gplain

several people, including me, have made fixes to drawterm which didn't
appear on the distribution, so i gather nobody really cares about it there.
therefore you're on your own making drawterm behave as you want it to.

andrey

[9fans] Re: NAT'ing a drawterm connection

[Jim Choate]

On Mon, 25 Aug 2003, Russ Cox wrote:

> No, the connection is SSL encrypted using the key established by the auth.

Thanks for clearing that up. :)


 -- --
      ravage@ssz.com                            jchoate@open-forge.com
      www.ssz.com                               www.open-forge.com

Re: [9fans] Re: NAT'ing a drawterm connection

[Jim Choate]

On Mon, 25 Aug 2003, andrey mirtchovski wrote:

> On Mon, 25 Aug 2003, Jim Choate wrote:
>
> > It's definitely on our 'To Do' list. Our long term plan is to have an
> > encrypted tunnel between each node, with each 'hub' node having a unique
> > key pair between it and each member node.
> >
>
> why not just update drawterm to 9p2000? :)

Why isn't it already there?

It'd be easier to ask Bell Labs to update their distro to include it out
of the box.

To ask individuals to update in a piecemeal way is not very professionsl.
Stop asking the end user to do the developer and distributors job.


 -- --
      ravage@ssz.com                            jchoate@open-forge.com
      www.ssz.com                               www.open-forge.com

Re: [9fans] Re: NAT'ing a drawterm connection

[andrey mirtchovski]

On Mon, 25 Aug 2003, Jim Choate wrote:

> It's definitely on our 'To Do' list. Our long term plan is to have an
> encrypted tunnel between each node, with each 'hub' node having a unique
> key pair between it and each member node.
>

why not just update drawterm to 9p2000? :)

[9fans] Re: NAT'ing a drawterm connection

[Jim Choate]

On Mon, 25 Aug 2003, Bruce Ellis wrote:

> maybe you guys drawterming over open networks should consider
> the security of running a cleartext 9p connection over such a connection.
> that's what you are doing.  a simple sniff can copy your key strokes ...
> the auth is secure but the connection is cleartext.  type away.

Yes, that is absolutely true. And we are well aware of it (sniffers are a
regular tool for us, snoopy needs work!) However, before we can stick a
tunnel around it we need to understand what and how things are working.

I'd say a bug needs to be entered against Drawterm for not using the inherent
crypto of Plan 9. How long has this app been around, how many people will
use it? Poor decision not to include this when it was first crafted.

It's definitely on our 'To Do' list. Our long term plan is to have an
encrypted tunnel between each node, with each 'hub' node having a unique
key pair between it and each member node.


 -- --
      ravage@ssz.com                            jchoate@open-forge.com
      www.ssz.com                               www.open-forge.com