VOGONS


First post, by fragmentfi

User metadata
Rank Newbie
Rank
Newbie

The original SSH2DOS was last updated in 2006 and the protocols and ciphers it uses are outdated and basically it does not work anymore. I've patched the program to be up to date (as of 2021).

The old programs can be still used if the ssh server configuration is changed to allow using less secure connection methods. The patched ones have been tested with the latest Ubuntu (20.04.2 LTS) release and needs to changes to ssh server configuration.

Old protocols and ciphers have been replaced as follows:
diffie-hellman-group1-sha1 -> diffie-hellman-group14-sha256
aes128-cbc -> aes128-ctr
hmac-sha1 -> hmac-sha2-256

I have only tested ssh and scp clients with password authentication. Key based authentication is most likely broken and needs some more work. Other changes to the program are minimal, the goal was just to get it working again with minimum effort.

I'm open for comments, bug reports and improvement ideas!

Source and binaries are available on GitHub:
https://github.com/AnttiTakala/SSH2DOS/

Reply 3 of 10, by mr.cat

User metadata
Rank Member
Rank
Member

Tervehdys Antti 😁

I'm not a DOS user but got curious: What are these DOS versions using as an entropy source?
There is no /dev/random for DOS is there? I know in some other systems there are separate entropy daemons used, and they need to be configured by the user.

Reply 4 of 10, by fragmentfi

User metadata
Rank Newbie
Rank
Newbie

Good question. The original implementation only uses rand() for randomness so it really isn't cryptographically secure at all. This could be addressed in the future but I wouldn't be surprised if the implementation has other potential security issues. On the other hand I would not use DOS based systems or programs for anything serious anyway 😁

Reply 5 of 10, by mr.cat

User metadata
Rank Member
Rank
Member

Thanks, that's pretty much what I suspected. You're right it's more of a convenience to provide connectivity to modern machines, not really for security.
Hopefully the potential users are aware of that.

Anyways, nice to see that even the humble ole DOS hasn't been left behind 😁

Reply 7 of 10, by fragmentfi

User metadata
Rank Newbie
Rank
Newbie

There is now a release package on GitHub for the initial release.

Something to note: the non-386 versions are slow. The process between starting the program and prompting for a password takes 11 seconds on my 266MHz Pentium II when connecting to a machine in the same network. For the 386 version it takes only about one second. As I currently only have Pentium class DOS machines, I'd be interested hearing some feedback and test results from slower machines.

Reply 8 of 10, by keenmaster486

User metadata
Rank l33t
Rank
l33t
fragmentfi wrote on 2021-04-15, 16:38:

There is now a release package on GitHub for the initial release.

Something to note: the non-386 versions are slow. The process between starting the program and prompting for a password takes 11 seconds on my 266MHz Pentium II when connecting to a machine in the same network. For the 386 version it takes only about one second. As I currently only have Pentium class DOS machines, I'd be interested hearing some feedback and test results from slower machines.

I can attempt this later today on my 286.

I flermmed the plootash just like you asked.

Reply 9 of 10, by Stiletto

User metadata
Rank l33t
Rank
l33t
fragmentfi wrote on 2021-04-15, 10:21:

Good question. The original implementation only uses rand() for randomness so it really isn't cryptographically secure at all. This could be addressed in the future but I wouldn't be surprised if the implementation has other potential security issues. On the other hand I would not use DOS based systems or programs for anything serious anyway 😁

Time for the return of the lava lamp entropy generator? 😁

"I see a little silhouette-o of a man, Scaramouche, Scaramouche, will you
do the Fandango!" - Queen

Stiletto