• Use passwords only if needed?

    From buanzo@4:900/107 to All on Mon Apr 5 22:59:14 2021
    Hi All,

    So, my hub sends me .PKT without passwords. I made the mistake of configuring the node to use a .PKT password, so of course mutil sees them as Invalid PKT.

    I was wondering, is there any reason why Mystic attempts to use a password on
    a .PKT when it is not needed, at least to detect the situation and log a more appropriate message?

    Cheers!

    --- Mystic BBS v1.12 A46 2020/08/26 (Linux/64)
    * Origin: DaRK Game BBS (4:900/107)
  • From IB Joe@1:342/201 to buanzo on Mon Apr 5 20:17:34 2021
    On 05 Apr 2021, buanzo said the following...

    Hi All,

    So, my hub sends me .PKT without passwords. I made the mistake of configuring the node to use a .PKT password, so of course mutil sees
    them as Invalid PKT.

    I was wondering, is there any reason why Mystic attempts to use a
    password on a .PKT when it is not needed, at least to detect the
    situation and log a more appropriate message?


    I made the same comment a while back.... If I got mail sent directly from Nick Andre with my mystic system Mystic would reject the packets as BAD... password issue... BUT if I send them though my hub address... it would take them just fine. Nick and I use no packet password...

    IB Joe
    AKA Joe Schweier
    SysOp of Joe's BBS
    -=JoesBBS.com=-

    --- Mystic BBS v1.12 A47 2021/01/16 (Raspberry Pi/32)
    * Origin: JoesBBS.Com, Telnet:2323 SSH:2222 HTTP:80 (1:342/201)
  • From g00r00@1:129/215 to buanzo on Mon Apr 5 23:47:28 2021
    So, my hub sends me .PKT without passwords. I made the mistake of configuring the node to use a .PKT password, so of course mutil sees
    them as Invalid PKT.

    I was wondering, is there any reason why Mystic attempts to use a
    password on a .PKT when it is not needed, at least to detect the
    situation and log a more appropriate message?

    I may not be understanding your question but I'll give it a shot and if I am misunderstanding let me know.

    In the first quote it sounds to me like Mystic is requiring a password for the PKT because you've configured require a password for the PKT.

    I am assuming in the second quote you are talking about unsecure echomail. The PKT defines if it requires a password to process it, so if Mystic receives an unsecure echomail packet that says it requires a password, Mystic will not process it. Mystic should never process a password-secured echomail packet if it doesn't know the password.

    The resulting error message in the latest version looks like:

    + Importing ABCD.PKT (from 1:1/1 to 1:2/1)
    ! Password found but no configuration for node 1:1/1

    In older versions it used to only say "! Bad password" but that was changed to add the "no configuration for node <addr>" text a handful of months back I think (in A47 so if you're on A46 you probably just see Bad Password).

    If you think that error message could be reworded to be clearer let me know and I will consider changing it for you!

    --- Mystic BBS v1.12 A47 2021/04/01 (Windows/64)
    * Origin: Sector 7 | Mystic WHQ (1:129/215)
  • From g00r00@1:129/215 to buanzo on Wed Apr 7 12:28:40 2021
    What I was wondering, is, instead of "invalid PKT" it could show "Attempted to use password, but .PKT does not require it, please unconfigure it" .

    I think its tough to put in a message like that because Mystic doesn't really know who made the mistake. In your specific case it would be correct, but it could just as well be the opposite: You agreed to use a password but the hub forgot to configure the password on their side.

    So because of that Mystic just tells you that the passwords do not match and leaves it up to the SysOp and Hub to figure out which one made the mistake.

    --- Mystic BBS v1.12 A47 2021/04/01 (Windows/64)
    * Origin: Sector 7 | Mystic WHQ (1:129/215)
  • From buanzo@4:900/107 to g00r00 on Wed Apr 7 15:24:16 2021
    On 07 Apr 2021, g00r00 said the following...
    I think its tough to put in a message like that because Mystic doesn't really know who made the mistake. In your specific case it would be

    Right. What about this pseudocode?

    if PKT_file IS password_protected:
    if No_PKT_Password_configured:
    error('Protected PKT requires password, configure it')
    skip_PKT;
    else
    process_PKT;
    else // pkt is not password protected
    if PKT_password_IS_configured:
    warning('PKT password configured, but packet is NOT protected.)

    process_PKT;

    Makes sense?

    --- Mystic BBS v1.12 A46 2020/08/26 (Linux/64)
    * Origin: DaRK Game BBS (4:900/107)
  • From g00r00@1:129/215 to buanzo on Wed Apr 7 15:52:54 2021
    Right. What about this pseudocode?

    The key is off of the address of the sender and the test is if the passwords match or not. I could change it but that is how its coded as it stands today.

    Here is the current logic in the latest A47 code with exact error message text:

    If sender's address is known (ie there is a configuration entry for the address):
    If PKT password does not match configuration's PKT password:
    error "PKT password does not match password set for 1:1/1"

    If sender's address is unknown:
    If PKT has password:
    error "PKT password found but no configuration for 1:1/1"

    To me it seems pretty straghtforward but feel free to make changes to that logic if you think it needs it!

    --- Mystic BBS v1.12 A47 2021/04/01 (Windows/64)
    * Origin: Sector 7 | Mystic WHQ (1:129/215)
  • From buanzo@4:900/107 to g00r00 on Thu Apr 8 10:37:42 2021
    If sender's address is unknown:
    If PKT has password:
    error "PKT password found but no configuration for 1:1/1"

    So, if PKT does NOT have password but a password is configured, it should detect it and NOT use it, and at least provide a warning ' PKT password especified for address, but PKT does not require it' (instead of saying ' invalid pkt'... which is not real. The PKT is fine, the problem is something else)

    Thanks

    Don't worry about it!
    --- Mystic BBS v1.12 A46 2020/08/26 (Linux/64)
    * Origin: DaRK Game BBS (4:900/107)
  • From g00r00@1:129/215 to buanzo on Thu Apr 8 11:02:30 2021
    So, if PKT does NOT have password but a password is configured, it should detect it and NOT use it, and at least provide a warning ' PKT password especified for address, but PKT does not require it' (instead of saying ' invalid pkt'... which is not real. The PKT is fine, the problem is something else)

    There is no error that says "Invalid PKT" in the current version. If that were the error message I agree it'd absolutely need to be changed! The error message is "PKT passsord does not match password set for <address>".

    In terms of the PKT password logic: I understand what you're saying but I am not sold on changing it and let me explain why.

    We cannot be sure a system connecting to you and saying its your hub is really your hub, so the security provided by a PKT password is a two-way street. In other words if Mystic would ignore a missing password from an incoming PKT it would create a big security hole.

    Lets say for example you have a hub connection to 1:1/1 and you've configured it to require a PKT password. An unknown system connect to you and sends you a PKT file "from 1:1/1" that contains 1,000,000 gibberish echomail messages.

    Result 1 (Mystic today):

    Mystic sees that the password you've configured for 1:1/1 does not match what is in the PKT. The PKT files are refused because Mystic cannot be sure the PKT files are legit. The error message is: "PKT password does not match password set for 1:1/1"

    (This message used to just be 'Bad password' but I've changed it)

    Result 2 (if I changed it to not use it):

    Mystic sees that the PKT does not have the password you've set up, but processes it anyway. Your BBS system is flooded with 1,000,000 gibberish echomail messages from an unknown system pretending to be 1:1/1. Your system is also a hub for 10 other systems too and those 1,000,000 messages are sent to the downlinks flooding the network with 11,000,000 gibberish messages.

    --- Mystic BBS v1.12 A47 2021/04/01 (Windows/64)
    * Origin: Sector 7 | Mystic WHQ (1:129/215)
  • From buanzo@4:900/107 to g00r00 on Thu Apr 8 19:38:10 2021
    On 08 Apr 2021, g00r00 said the following...
    There is no error that says "Invalid PKT" in the current version. If

    You are correct. I upgraded right after I made Fidonet work, and I had
    already discovered the issue.

    Let me test it out, thank you for your detailed responses. Is Mystic open source? Or maybe there's a way to get more involved?

    Cheers!
    --- Mystic BBS v1.12 A46 2020/08/26 (Linux/64)
    * Origin: DaRK Game BBS (4:900/107)