Skip to main content

A lot of locations are mandating that you stop connecting to the system with Telnet, and use SSH instead. The rationale is greater security. When you log in using Telnet your password, as well as any other data, is sent in clear text. Anyone with a network analyzer can read what you sent. SSH, on the other hand, encrypts all the data making it unreadable. The assumption is that the Telnet and SSH daemons present an interchangeable user experience; this is incorrect.

First, there are many different SSH and Telnet clients. These have different user interfaces and may use different terminal types. Even when using the same terminal type, they may behave differently since they are emulating a terminal and emulations are not perfect. But, even discounting differences in the client software, there are several subtle and not so subtle differences between a session connected to a Telnet daemon (either telnetd or telnet_msd) and one connected to the SSH daemon. There are also a number of bugs, which I will cover. Keep in mind that I am using the SSH daemon from Internet Security Pack (ISP) for OpenVOS release 2.1.0k. This is the latest version available at the time I wrote this.

User Names:

Before you even get logged in, there is a difference in the way that Telnet and SSH handle your user name. The Telnet daemons will allow you to login with any unique variation of your user name and the name is case insensitive. Given the user name Noah_Davids, I can login as Noah_D, noah_d, NoAh_D or NoAh_DaViDs when using Telnet, but the only thing that will work with SSH is Noah_Davids. My alias of nd works the same way. With Telnet I can use nd, ND, or nD but with SSH only nd will work.

Group Names:

The login prompt presented with a Telnet connection allows me to specify a group name

telnet 164.152.77.217
Trying...
Connected to 164.152.77.217.
Escape character is '^]'.

OpenVOS Release 17.1.0ax, Module %phx_vos#m17
Please login  15:24:14
login nd.SysAdmin
Password? [password entered here]

Noah_Davids.SysAdmin logged in on %phx_vos#m17 at 12-12-12 15:24:55 mst.
Figure 1 – Telnet login with group name

But the SSH protocol only allows a user name. If I include the group name, it is treated as part of the user name and the login fails.

>system>openssl>bin>ssh [email protected]

nd.SysAdmin@164.152.77.217's password: [password entered here]

Permission denied, please try again.
[email protected]'s password:
Figure 2 – SSH login with group name

Once you are logged in you can change your group with a sub-login (but see the section on ssl-403 below for current limitations)

Password differences:

The biggest difference in password handling between Telnet and SSH connections is that SSH does not require passwords for authentication. You can set up a public/private key pair and skip the whole password entry step. Take a look at Setting up Stratus STCP SSH to use public key authentication for a description on how to set that up.

If you are using passwords there are some differences you have to deal with. First, password expiration is handled differently. With Telnet the login prompt warns you when your password is about to expire and allows you to change it.

telnet 164.152.77.217
Trying...
Connected to 164.152.77.217.
Escape character is '^]'.

OpenVOS Release 17.1.0ax, Module %phx_vos#m17
Please login  14:04:40
login nd
Password? [current password entered here]

Your password will expire in 5 days.
New password (first entry)?
Figure 3 – Telnet connection password expiration warning/prompt

SSH will warn you but you have no option to change it. You must use the change_password command to invalidate your password, which will force you to change your password the next time you login.

ssh [email protected]
[email protected]'s password: [current password entered here]

Your password will expire in 5 days.
Noah_Davids.CAC logged in on %phx_vos#m17 at 13-01-09 13:06:35 mdt.

Welcome.

ready  13:06:35
change_password
Your password is no longer valid. You must change it the next time you log in.
ready  13:06:49
Figure 4 – SSH connection password expiration warning
and change_password command

Once your password expires (or you have invalidated it with the change_password command) you will be prompted to change it. Unlike Telnet this is not optional, you must change your password at this point. After changing your password you are automatically logged out and must log back in again.

ssh [email protected]
[email protected]'s password:

WARNING: Your password has expired.
You must change your password now and login again!
Current password? [current password entered here]

New password (first entry)? [new password entered here]

New password (second entry)? [new password entered here]

Connection to 164.152.77.217 closed.
Figure 5 – Changing your password during SSH connection

Another difference is that SSH connections do not support challenge-response passwords while Telnet connections do.

Subsystems:

When you first connect to a module with Telnet the login command allows you to select a subsystem

OpenVOS Release 17.1.0ax, Module %phx_vos#m17
Please login  11:23:40
login -form -usage
 --------------------------------- login -------------------------------
 user_name:
 -privileged:      as registered
 -password:
 -change_password: no
 -priority:
 -home_dir:
 -module:
 -subsystem:
Figure 6 – Telnet connection allows you to specify a subsystem name

The ssh protocol has no mechanism for specifying a subsystem name. If the must_use_subsystem flag is set in your registration database entry then the first subsystem specified in your registration entry is automatically used. If the bit is not set then no subsystem is used. (Note that before release ISP 2.1.0j the first subsystem would be used even if the must_use_subsystem bit was not set.) While the arguments to the login command available before you actually login include a way to specify the subsystem (see figure 6) once you are logged in that option is no longer available (see figure 7).

login -form -usage
 --------------------------------- login -------------------------------
 group_name:  CAC
 -privileged: yes
 -priority:
 -password:
 -module:
Figure 7 – sub-login command line argments

The only way to get into a subsystem once you are logged in is to Telnet back to the system and login again.

telnet 127.0.0.1
Trying...
Connected to 127.0.0.1.
Escape character is '^]'.

OpenVOS Release 17.1.0ax, Module %phx_vos#m17
Please login  11:37:34
login nd -subsystem test_ss
Password?        

Noah_Davids.CAC logged in on %phx_vos#m17 at 12-12-13 11:37:49 mst.
this is the test subsystem

ready  11:37:49
Figure 8 – Telnet to loopback address and login again to get to a subsystem

 

Access control:

Both Telnet and SSH connections support TCP Wrappers to allow you to restrict access based on IP address but with the Telnet daemons the default is that TCP Wrappers is not enabled and you must explicitly enable it with the -tcpwrapper_check control argument. While with the SSH daemon TCP Wrappers is enabled by default and there is no way to disable it. You can effectively disable it by allowing all SSH connections in the TCP Wrappers hosts.allow configuration file.

telnetd -form -usage
 ------------------------------- telnetd ------------------------------
 -service_file:     >system>stcp>telnetservice
 -tcpwrapper_check: no
 -numeric:          yes
Figure 9 – Enabling TCP Wrappers in the telnetd daemon

 

telnet_msd -form -usage
 ------------------------------ telnet_msd ----------------------------
 -network_port:     24
 -max_sessions:     28
 -error_severity:   2
 -separate_log:     yes
 -log_dir:          >system>stcp>logs
 -vterm_starname:   telnet*
 -vterm_login:      yes
 -vterm_slave_id:
 -extension:        133
 -force_edit:       yes
 -EC_decimal_value: 8
 -EL_decimal_value: 21
 -tcpwrapper_check: no
 -numeric:          no
Figure 10 – Enabling TCP Wrappers in the telnet_msd daemon

The sshd daemon also supports options in the sshd_config file to allow you to specify users or groups that are to be allowed access using ssh (the AllowUsers and AllowGroups directives) or denied access using ssh (DenyUsers and DenyGroups directives). These directives allow you to specify user names, or source domains or combinations. It is possible to allow noah_davids from corp.stratus.com but to deny it from az.stratus.com.

AllowUsers *@*.stratus.com
DenyUsers *@*az.stratus.com
Figure 11 – Example AllowUsers and DenyUsers directives in sshd_config
>system>openssl>bin>ssh [email protected]
[email protected]'s password:

Permission denied, please try again.
[email protected]'s password:
Figure 12 – Login from phxtest-m15.az.stratus.com denied because of DenyUsers directive

 

Command environment:

Once logged in a Telnet connection presents you with the standard VOS command environment. SSH allows an administrator to specify either the standard command environment or the bash shell environment. This is done based port numbers.

d sshservices

%phx_vos#m17_mas>opt>openssl>etc>sshservices  12-12-13 12:31:31 mst

ssh       "window_term"  ""         "login"         1 1  s$pt_log.m16
ssh2200   "window_term"  "-shell"   "bash"          1 1  s$pt_log.m16
Figure 13 – sshservices file, port 22 is the standard VOS command line,
port 2200 is the bash shell
>system>openssl>bin>ssh [email protected] -p 2200
[email protected]'s password:

Welcome.

sh-2.05$
Figure 14 – SSH connection using port 2200 and getting a bash shell

 

Environment variables:

By default Telnet connections only set 6 environment variables while SSH connections sets 12

env
HOME=/SysAdmin/Noah_Davids
LOGNAME=root
PATH=.:/system/command_library:/system/applications_library:/system/maint_librar
+y:/system/nio/command_library:/system/tools_library:/opt/apache/bin:/opt/libxml
+2/bin:/opt/php/bin:/opt/openssl/bin:/opt/mysql/bin:/system/stcp/command_library
+:/system.17.1/gnu_library/bin
VOS_INCLUDE_PATH=.:/opt/apache/include:/opt/openssl/include:/opt/mysql/include/m
+ysql:/system/stcp/include_library/compat:/system/include_library
VOS_OBJECT_PATH=.:/opt/apache/lib:/opt/openssl/lib:/opt/mysql/lib/mysql:/system/
+stcp/object_library/complib:/system/posix_object_library/pthread:/system/posix_
+object_library:/system/c_object_library:/system/object_library
TERM=vt100
Figure 15 – Environment variables set in a Telnet connection

 

env
HOME=/SysAdmin/Noah_Davids
PATH=.:/system/command_library:/system/applications_library:/system/maint_librar
+y:/system/nio/command_library:/system/tools_library:/opt/apache/bin:/opt/libxml
+2/bin:/opt/php/bin:/opt/openssl/bin:/opt/mysql/bin:/system/stcp/command_library
+:/system.17.1/gnu_library/bin
VOS_INCLUDE_PATH=.:/opt/apache/include:/opt/openssl/include:/opt/mysql/include/m
+ysql:/system/stcp/include_library/compat:/system/include_library
VOS_OBJECT_PATH=.:/opt/apache/lib:/opt/openssl/lib:/opt/mysql/lib/mysql:/system/
+stcp/object_library/complib:/system/posix_object_library/pthread:/system/posix_
+object_library:/system/c_object_library:/system/object_library
TERM=vt100
TZ=mst+07:00:00
USER=Noah_Davids
LOGNAME=Noah_Davids
MAIL=/var/spool/mail/Noah_Davids
SHELL=/bin/sh
SSH_CONNECTION=164.152.77.34 49573 164.152.77.217 22
SSH_TTY=#s$pt_log.m16_3
Figure 16 – Environment variables set in an SSH connection

 

Device types:

Finally, this is not really a difference between Telnet and SSH but between the telnetd and sshd daemons and the telnet_msd daemon. Both telnetd and sshd use window_term devices while telnet_msd uses vterm devices. There are some differences between the way that vterms and window_term devices deal with some of the function keys (like CANCEL) at the command line and with the way they handle raw screen output. Some applications that create their own forms and have not been updated to use new s$control OP_CODES do not present those forms correctly using window_term devices. The second best way to deal with these applications is to use an SSH tunnel to connect to the system, the tunnel is then configured to connect to the telnet_msd daemon. The best way to handle the application is to, of course, update it to use the new OP_CODES.

 

Besides the above differences that are inherent in Telnet and SSH there are a few bugs that will be fixed in a future release.

ssl-403 Available Groups:

When connecting with Telnet all of the groups specified in your registration entry are available for sublogins but with ssh only the first 5 groups are available.

Given that I am registered with groups, CAC, SysAdmin, Group_3, Group_4, Group_5, Group_6. I can do a sub-login using any group from a Telnet connection

telnet 164.152.77.217
Trying...
Connected to 164.152.77.217.
Escape character is '^]'.

OpenVOS Release 17.1.0ax, Module %phx_vos#m17
Please login  15:38:02
login nd
Password? [current password entered here]

Noah_Davids.CAC logged in on %phx_vos#m17 at 12-12-12 15:38:08 mst.

login Group_5

Noah_Davids.Group_5 logged in on %phx_vos#m17 at 12-12-12 15:39:39 mst.
ready  15:39:39
logout

login Group_6

Noah_Davids.Group_6 logged in on %phx_vos#m17 at 12-12-12 15:40:13 mst.
ready  15:40:13
Figure 17 – sub-logins with Telnet connection

However, with ssh, when I try to use Group_6 I get an error.

>system>openssl>bin>ssh [email protected]
[email protected]'s password:

Noah_Davids.CAC logged in on %phx_vos#m17 at 12-12-12 15:41:02 mst.
ready  15:41:02

login Group_5

Noah_Davids.Group_5 logged in on %phx_vos#m17 at 12-12-12 15:41:24 mst.
ready  15:41:24
logout

login Group_6
login: Invalid format in argument. Group_6 not allowed for group_name.
ready  15:41:59
Figure 18 – sub-logins with SSH connection

 

ssl-418 – The sub_process_level:

Logins via Telnet have a sub_process level of 0 while those via SSH have a sub_process level of 3.

telnet 164.152.77.217
Trying...
Connected to 164.152.77.217.
Escape character is '^]'.

OpenVOS Release 17.1.0ax, Module %phx_vos#m17
Please login  14:15:34
login nd
Password? [current password entered here]

Noah_Davids.CAC logged in on %phx_vos#m17 at 12-12-13 14:15:39 mst.
ready  14:15:39
display_line (process_info sub_process_level)
0     
ready  14:15:49
Figure 19 – Sub_process level set in a Telnet connection

 

>system>openssl>bin>ssh [email protected]
[email protected]'s password: [current password entered here]

Noah_Davids.CAC logged in on %phx_vos#m17 at 12-12-13 14:12:23 mst.
ready  14:12:23
display_line (process_info sub_process_level)
3     
ready  14:12:37
Figure 20 – Sub_process level set in an SSH connection

Update Jan 14, 2013: This turns out to be a feature and not a bug. The sshd process is forked first when start_process is done to start the listening process, second when sshd accepts the connection and a third time when the user login process is created. Telnet uses a different mechanism to start the user process which does not result in any forked processes.

Time zone issues:

Finally I just want to say that there have been a number of issues related to changing between daylight savings and standard time, or more generally just changing time zones. Sessions logged in via SSH would not reflect the new defaults. These issues should all be fixed in this latest release (2.1.0k).

© 2024 Stratus Technologies.