Graphical terminal emulator and SSH proxy.

Hi all,

5 days ago I sent a message: "Graphical terminal emulator for
Windows->Linux access". After that I got a lot of criticism basically
concerning low security of this solution.

OK, I agree and for people who are very concerned about security I spent
4 days developing a SSH proxy server which supports SSH1/SSH2 protocols.
I included it in the UnixSpace package. In case of a SSH connection, the
terminal automatically runs a proxy, and the proxy keeps a connection
with the remote server.
So now the UnixSpace terminal has 4 protocols: telnet, SSH, rlogin and
telnet through port 80.

On the other hand I think the SSH proxy server may be useful not only as
a part of the UnixSpace terminal but as a separate program. The idea is
very simple, your application can run SSHproxy (argv[1] is the port
number for communication between application and proxy), the proxy sends
prompt and waits for the command line from the application. The command
line includes the address of the remote host, probably some addition
arguments ( -terminal:... , -rlogin and so on) and '\n'. That's it.
What do you think about it? May these be useful utilities?

You can download it from www.unixspace.com/download, the evaluation
version has not time limit.

Alexander Lashenko.

>
> You can download it from www.unixspace.com/download, the evaluation
> version has not time limit.
>
> Alexander Lashenko.
>


What the heck does "setup.exe" do ? it just runs and says "setup complete".


Does it enter registry items ? If so, how do i delete these registry entries
?
I assume it used the registry , as without running setup.exe
"unixspace.exe" says "must be run from c:\Program Files\Unixspace\ or some
such.
But it ran from d:\unixspace\ after i ran setup.exe from d:\unixspace


Unixspace.exe .... shows a screen allowing me to specificy protocols but not
port number.
Obviously it assumes protocol specifies port number.

It didnt ask me if i wanted to start 4 windows, it has 4 windows at all
times and 4 windows only.


if i go to window 4, it says it has an error, even though i never configured
window 4 to connect anywhere. (why not a little 'enable' radio button on
each window ? )



Why make ssh a proxy system ? does that mean its an open ssh proxy , if
you dont firewall it off ?

Leon. wrote:
>>You can download it from www.unixspace.com/download, the evaluation
>>version has not time limit.
>>
>>Alexander Lashenko.
>>
>
>
>
> What the heck does "setup.exe" do ? it just runs and says "setup complete".
>
>


Setup.exe just creates the C:/Program Files/UnixSpace folder, 2
subdirectories bin and etc and copies files.

> Does it enter registry items ? If so, how do i delete these registry entries
> ?


No.

> I assume it used the registry , as without running setup.exe
> "unixspace.exe" says "must be run from c:\Program Files\Unixspace\ or some
> such.
> But it ran from d:\unixspace\ after i ran setup.exe from d:\unixspace
>
>
> Unixspace.exe .... shows a screen allowing me to specificy protocols but not
> port number.

SSH - port 22, telnet - 23, rlogin - 513, http-telnet - 80.
Do you think it is necessary to have the ability to change it?

> Obviously it assumes protocol specifies port number.
>
> It didnt ask me if i wanted to start 4 windows, it has 4 windows at all
> times and 4 windows only.
>

>
> if i go to window 4, it says it has an error, even though i never configured
> window 4 to connect anywhere. (why not a little 'enable' radio button on
> each window ? )
>
>

If you want to use other virtual consoles (or windows if you call it
so), you should set up settings for this channel before using. First of
all you shoud edit the 'Host Setting' dialog, after that click on 'Save'
and on 'Connect' in the main menu.

Concerning 'enable' button: What should this button do?

For instance on my PC I use all 4 screens:
Screen 1: 100.1.1.10, Protocol: telnet, Terminal: UnixSpace, lines: 42
(this is my FreeBSD box in the local network),
Screen 2: 120.1.1.1, Protocol: telnet, Terminal: UnixSpace, lines: 42
(it is a Linux box),
Screen 3: unixspace.com, Protocol: SSH, Terminal: Linux, lines: 25
(remote server)
Screen 4: 120.1.1.10, Protocol: http-telnet, Terminal: Linix, Lines: 42
(Linux as a virtual PC inside Windows)

Basically I use 1-2 screens but until I click on Screen 3 or Screen 4
they are disconnected. If I want to connect to unixspace.com, the
connection will only exist after I click on Screen 3.

>
> Why make ssh a proxy system ? does that mean its an open ssh proxy , if
> you dont firewall it off ?
>
>

At the beginning I wanted to add this protocol into UnixSpace code, but
laterI found a better solution. UnixSpace is a graphical terminal and it
is its main feature. Communication protocol is not a part of the
terminal, so I made it into an independent server. The telnet protocol
is very simple and it is integrated in the terminal, but SSH2 protocol
is very big (260KB against 80KB of the terminal binary)

Now I have such architecture:

Terminal<-port 2348->Proxy<- port 23-->Remote Unix
-----------Windows----------------- ----Unix-------

This solution is more flexible. You can run SSHProxy, and try something
like:
telnet 127.1 2348
>remote_IP<Enter>
Login:

A.L.

In article <(E-Mail Removed)>, san wrote:

> SSH - port 22, telnet - 23, rlogin - 513, http-telnet - 80.
> Do you think it is necessary to have the ability to change it?

Of course. All other ssh and telnet clients allow you to
specify port numbers. There are various reasons why that is
useful. I can expound if you like, but the fact that your
competition all have that feature should be a clue that
people need it.

--
Grant Edwards grante Yow! -- In 1962, you could
at buy a pair of SHARKSKIN
visi.com SLACKS, with a "Continental
Belt," for $10.99!!

In comp.os.linux.networking san <(E-Mail Removed)> wrote:

> On the other hand I think the SSH proxy server may be useful not only as
> a part of the UnixSpace terminal but as a separate program. The idea is
> very simple, your application can run SSHproxy (argv[1] is the port
> number for communication between application and proxy), the proxy sends
> prompt and waits for the command line from the application. The command
> line includes the address of the remote host, probably some addition
> arguments ( -terminal:... , -rlogin and so on) and '\n'. That's it.
> What do you think about it? May these be useful utilities?

In short, it can be a useful thing to have, but your method is lacking.
There is perhaps only one good reason for needing to use a proxy for
SSH, and that is to navigate firewalls, or if you have to go via a
machine that is not/may not be configured for IP forwarding.

In that case, the best, most feasible way is to run ssh as a command
when logged in (ie. instead of a shell).

outside$ ssh -A -t gateway ssh -A -t internal_machine

Unlike the proxy you propose, this method can be used a) without a
proxy, b) to chain together more that two levels.

I have a script that does this for me and escapes commands.

http://nzgeeks.org/cameron/progs/sshmh.php

For the example above, I would use

sshmh gateway:internal_machine

(user is required to have SSH keys with agent running)

or xsshmh gateway:internal_machine, which would start it in an xterm
with a useful title.

(Note, it will be rewritten a bit at some point to deal with IPv6
literal addresses)

COLN readers might also be interested in my snmprtg program, a basic
SNMP graphing utility.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

> Setup.exe just creates the C:/Program Files/UnixSpace folder, 2
> subdirectories bin and etc and copies files.
>
> > Does it enter registry items ? If so, how do i delete these registry
entries
> > ?
>
>
> No.
>
> > I assume it used the registry , as without running setup.exe
> > "unixspace.exe" says "must be run from c:\Program Files\Unixspace\ or
some
> > such.
> > But it ran from d:\unixspace\ after i ran setup.exe from d:\unixspace

Ah, so the the error message was misleading.
it actually just requires that there be files in
c:\program files\unixspace2\ ... for it to read.

Most windows installers ask where you want to install the program.


Not everybody installs programs to c:\Program Files\ .... although that is
common.


> > Unixspace.exe .... shows a screen allowing me to specificy protocols but
not
> > port number.
>
> SSH - port 22, telnet - 23, rlogin - 513, http-telnet - 80.
> Do you think it is necessary to have the ability to change it?

yes, is neccessary to change these.



> Concerning 'enable' button: What should this button do?

Answer: Prevent the disabled windows trying to connect ,
doing DNS lookups, etc.

Or

IF there is no enable/disable, the windows shouldnt become active until the
user presses the "connect" button on that window.


I think at present all 4 windows are active when the program starts, then
shutdown due to failure to connect or timeout disconnect and produce a few
error messages.


>
> Terminal<-port 2348->Proxy<- port 23-->Remote Unix
> -----------Windows----------------- ----Unix-------
>
> This solution is more flexible.


Yes that is flexible. but is it secure ? Does the proxy listen to 127.0.0.1
only ?
or does it have another way to accept connections from only 127.0.0.1 ?
Or is it open for the entire network to use ?

I see. Tomorrow it will be done.

Grant Edwards wrote:
> In article <(E-Mail Removed)>, san wrote:
>
>
>>SSH - port 22, telnet - 23, rlogin - 513, http-telnet - 80.
>>Do you think it is necessary to have the ability to change it?
>
>
> Of course. All other ssh and telnet clients allow you to
> specify port numbers. There are various reasons why that is
> useful. I can expound if you like, but the fact that your
> competition all have that feature should be a clue that
> people need it.
>

Leon. wrote:

>
>
> Not everybody installs programs to c:\Program Files\ .... although that is
> common.
>
>

The thing is that, the terminal should to run the proxy and the terminal
should have information where exactly this program is. Besides I use
UnixSpace terminal as interface to DBMS ConteXt. In this case ConteXt
run UnixSpace.exe Probably it is not the best solution but I don't want
to use the registers. I don't like it.

>
>>>Unixspace.exe .... shows a screen allowing me to specificy protocols but
>>
> not
>
>>>port number.
>>
>>SSH - port 22, telnet - 23, rlogin - 513, http-telnet - 80.
>>Do you think it is necessary to have the ability to change it?
>
>
> yes, is neccessary to change these.
>
>

It is done. Take a new version.

>
>
>>Concerning 'enable' button: What should this button do?
>
>
> Answer: Prevent the disabled windows trying to connect ,
> doing DNS lookups, etc.
>
> Or
>
> IF there is no enable/disable, the windows shouldnt become active until the
> user presses the "connect" button on that window.
>
>
> I think at present all 4 windows are active when the program starts, then
> shutdown due to failure to connect or timeout disconnect and produce a few
> error messages.
>
>

No, only the first screen is active, the others will be active after you
select it.

>
>>Terminal<-port 2348->Proxy<- port 23-->Remote Unix
>>-----------Windows----------------- ----Unix-------
>>
>>This solution is more flexible.
>
>
>
> Yes that is flexible. but is it secure ? Does the proxy listen to 127.0.0.1
> only ?
> or does it have another way to accept connections from only 127.0.0.1 ?
> Or is it open for the entire network to use ?
>

SSHProxy is not a daemon. (Or I do not use it in this mode).
The protocol is:
1. UnixSpace.exe runs SSHProxy.exe
2. SSHProxy.exe starts to listen some port
3. UnixSPace.exe connect to SSHProxy
4. SSHProxu accepts a new socket and is closing the old one.
It takes just few milliseconds, so after this moment SSHProxy will
listen nothing.



A.L.