gemini - kennedy.gemi.dev

💾 Archived View for zaibatsu.circumlunar.space › ~solderpunk › phlog › were-bringin-finger-back.txt captured on 2022-06-11 at 22:35:59.

-=-=-=-=-=-=-

We're bringin' finger back!
---------------------------

It's a lively time in the pubnix scene! Things in circumlunar space
are developing rapidly. See recent posts by slugmax[1,2] and
visiblink[3] for updates on the Republic colony and our new XMPP
server. Federation between the Zaibatsu and Republic is working
smoothly, with email, IRC and BBS joining the two into a single user
community, as was always the plan. We are also now exchanging email
with other pubnix hosts, tying ourselves into the wider pubnixverse
according to my two-tier structure philosophy[4]. It's an exciting
time. Welcome to all the new sundogs at the Republic!

This post is about another project to join all pubnixes together,
which some of you may be aware of. The title says it all, really.
We're bringin finger back!

Yes, that's right finger, of RFC742.

If you're a sysadmin-type, you possibly just broke out into a cold
sweat. Finger seems to have a terrible reputation online these days
with regards to security. Worse even than telnet, perhaps. I have
read comments to the effect of "nobody who cares about security runs a
fingerd" or "you're brave to run a fingerd in this day and age!". I
honestly believe that in the context of a public access unix server
this attitude doesn't make a lot of sense, but before I elaborate on
this, a quick overview "for those who came in late".

Finger is a very simple TCP protocol assigned well-known port 79. The
gist of it is that you connect to a remote host, send a username
followed by CRLF, and the remote host sends you back some information
about that user and closes the connection. It's gopher-like in its
simplicity. When I say "some information", I mean the contents of
your GECOS field (the weird ancient personal metadata enshrined in the
/etc/passwd file since the earliest days of Unix, which tells your
full name, building, room number, and telephone numbers - if you opted
to enter them when creating your account, of course) as well as the
contents of some files in your home directory - ~/.project, which, by
convention, was a relatively static file explaining what it was you
worked on, in general, and ~/.plan, which was updated more frequently
(perhaps at the start of each week) with more finegrained information,
including details on where/when/how to find/contact you. All of this
obviously harks back to the days when multi-user unix deployments were
invariable at universities or the research department of large
companies. It was basically a kind of distributed staff directory.

If you're near a shell right now, you can finger yourself (ahem) by
simply typing e.g. `finger solderpunk` to see the kind of thing we're
talking about. On your local machine, it's very likely you'll see
somewhere in the output "No plan", because ~/.plan files nowadays are
pretty rare.

Why would people freak out about running fingerd? I think a little
bit of the hysteria comes from the fact that fingerd was one of the
exploited pieces of software used to facilitate the spread of the
infamous Morris Worm[5], back in the day. This is irrational - that
attack was not based on some kind of protocol-level weakness in
finger, but rather on a buffer overflow vulnerability in a common
implementation of the time which, believe it or not, has been patched
since the late 80s. At the end of the day, what fingerd mostly does
is to accept a single query line over TCP, reads some files in a
user's home directory, and send the contents of those files back to
the client. If it's possible to write a secure HTTP server, it's
possible to write a secure finger server. In fact, it's *easier* to
write a secure finger server as a simple consequence of the protocol
being far simpler than HTTP.

The second and somewhat more valid concern is that some versions of
fingerd will respond to an empty query line (just a CRLF over the wire
and that's it) with a list of all the system's users, which some would
argue could then be used to help attack the system. If you've ever
run an sshd on the public internet and looked at your logs, you'll
know that brute force attacks are a fact of life, and many of them use
common firstnames as usernames. Running a fingerd that basically
hands out valid usernames arguably makes such brute force attacks
easier.

Is this a practical threat to, say, the Zaibatsu? No. For one
thing, password authenatication for ssh sessions is not allowed. It's
private key or bust, and 1024-bit or longer keys are not practically
brute forcable, not by a long shot. It doesn't matter if somebody
knows a valid username, if they don't have that persons' key they are
not getting in. There are no other network services running which
require a username. One might argue that knowing a username is still
of value to an attacker, e.g. if they find a vulnerability in
gophernicus or the git server or something else we're running, knowing
a username might be of some value in exploiting that. But this brings
me by next point, which is that fingerd or no the list of usernames at
the Zaibatsu is not a secret. They are literally all spelled out on
the main gopher page, right there. This is also true at SDF, Grex and
pretty much any other multi-user gopher host. It's true of just about
any pubnix, even ones which don't offer gopher hosting - you can
probably harvest usernames from the URLs of user pages at pubnixes
which offer webhosting. Hiding usernames is counter-productive to the
mission of a pubnix, so shying away from running fingerd for this
reason makes no sense.

The one legitimate reason I can think of to consider running fingerd
scarier than running httpd is related to the privacy of your users.
It's not a problem that standard fingerd implementations share GECOS
information or .project and .plan - those are under the direct control
of the user, so people can share as little or as much as they like (I
don't think *any* user at the Zaibatsu has put their real name in
their GECOS field). However, standard implementations also indicate
whether or not a user is logged in or not, and if not when they last
were, including, crucially, the IP address they (last) logged in from.

That* is a huge no-no in this day and age. Combined with reverse DNS

lookups and GeoIP location, this information can go a long way toward
de-anononymising a pubnix user, in extreme cases facilitating doxing,
SWATting and other very unpleasant occurences.

Of course, we don't have to stick with standard fingerd
implementations. Writing a fingerd is trivial, and there are third
party options out there which offer some customsiability. One of
them, efingerd, is in use now at the Zaibatsu, at cosmic.voyage and at
baud.baby, and offers complete control over finger output. The
sysadmin can write a default script to generate finger output, and
individual users can override this for their own username if they
want. This makes it possible to avoid IP address leakage, which is a
good thing.

Assuming we plug that little hole, and limit finger to sharing GECOS,
~/.project, ~/.plan and other things under direct user control, what
do we have in finger? An IETF-standardised, decentralised network for
publishing plain-text personal metadata - a crude, extensible, open
social network that works from the command line using software which
is already installed on or easily available for 99% of *nixes. That's
kind of exciting, right? The obvious modern adaptations of ~/.project
and ~/.plan are to use ~/.project as a "profile page" and ~/.plan as a
"status update" or, if you like, a "blog post". This is not at all
without precedent. From the mid-90s through 2010, ID Software
programmer turned private rocketeer John Carmack famously used his
.plan file as, essentially, a blog. They are archived on github for
the curious[6].

The pubnix environment is the natural place to stage a modern day
revival of finger as a minimal text-only social network without any of
the nasty features of the "real" ones. The tools are already there.
The interface is a bit clunky, though. Having to type `finger
tomasino@cosmic.voyage`, and then `finger cat@baud.baby`, and so on,
checking your "timeline" manually is a huge pain in the ass.

So it's a good thing I've written a tool called `fellowsh` to solve
this problem. It's fellowsh as in "fellowship shell", which is a
reference to a nice quote from Unix inventor Dennis Ritchie:

> What we wanted to preserve was not just a good environment in
> which to do programming, but a system around which fellowship could
> form.

fellowsh is written in Lua so it's nice and light, and it basically
combines or provides an interface to a whole bunch of traditional unix
"social tools", like `finger`, `last`, `talk`, `who` and `write`. It
shows you the username, login status, local time and current .plan of
all the users in a list, which by default is all local users on the
system, but you can ignore some local users and you can add remote
users, to build up something like a "friends list", which is ordered
top-to-bottom by most recently logged in. You can "refresh" the list
and it will do all the remote fingering to update people's plans. In
the case of local users, you can also list their currently running
processes or launch a `talk` or `write` session.

Remote users are right now "second class citizens" in a sense, because
fellowsh has no way to directly access information like whether or not
they are currently logged in or if not when they last were. It *will*
extract that information from finger output if the remote user's
fingerd provides it, but right now, this is rare. It works with
grex.org users, and with Zaibatsu users (our fingerd publishes
login/logout status and times *without* IP addresses), but that's
about it. But if this thing takes off, and the community develops
standards for what sort of information to include in finger output and
what format to include it it, fellowsh and other tools could treat
remote and local users more or less identically.

If you'd like to experiment with fellowsh, like all software developed
at the Zaibatsu it has a gopher page[7] with instructions on how to
clone the repo and a link to download a .zip of the current repo
contents without even leaving your gopher client! It requries the
luafilesystem, penlight and luatz libraries, which are all available
through luarocks. If you have any problems at all, let me know. If
you run, or are thinking of running, a pubnix server, consider
installing a modern fingerd which gives you control over the output so
your users can participate in this experiment. If you're on a pubnix
and you'd like to participate, show this phlog post to your admin(s)!
If you're on cosmic.voyage, you're in luck because efingerd and
fellowsh are both already installed there. Fire up your editor and
make a .plan!

[1] gopher://zaibatsu.circumlunar.space:70/1/~slugmax/cgi-bin/slerm?republic-new-users-update.post
[2] gopher://zaibatsu.circumlunar.space:70/1/~slugmax/cgi-bin/slerm?more-republic-updates.post
[3] gopher://zaibatsu.circumlunar.space:70/0/~visiblink/phlog/20181230
[4] gopher://zaibatsu.circumlunar.space:70/0/~solderpunk/phlog/micro-pubnixes-local-flavour-and-two-tier-structure.txt
[5] https://en.wikipedia.org/wiki/Morris_worm
[6] https://github.com/oliverbenns/john-carmack-plan
[7] gopher://zaibatsu.circumlunar.space:70/1/software/fellowsh