Hi!

There's been talk about switching away from netkit-telnet and
netkit-telnetd as the default implementations for some time now,
and replacing them with the ones from inetutils, which is a maintained
project and does see releases (even though with a long cadence).

This has been discussed somehow in #982253 and #987729.

These packages currently use a pair of virtual packages to denote
that they are a telnet or telnetd implementation (telnet-client and telnet-server). One problem is that currently the netkit implementations
use the generic telnet and telnetd package names, which is a clear way
to mark them as the default implementations (instead of say the other convention of naming or providing a default-foo package). Another is
that several packages depend on these generic names instead of the
virtual packages, see below for a list that would deserve a non-blocking
"mass" bug filing, which I can handle as part of the switch.

The inetutils-telnet recently got support for the missing «-b» option
for compatibility with netkit-telnet.

The inetutils-telnetd and netkit-telnetd have diverging options and some conflicting ones, but after pondering about it I don't think this should
be a major issue, as the daemon does not tend to get called by users from scripts and similar. For completeness the divergences are these:

inetutils-telnetd netkit-telnetd
----------------- --------------
short and long options short options
<missing> -D (unimplemented «exercise» mode)
-D (debug modes «auth», «encr») -edebug
-S, --server-principal -S (used to set the IP TOS)
-E, --exec-login -L
-l, --linemode <missing>
-U, --reverse-lookup -N (related but not exactly the same)


Simon Josefsson (CCed), who is one of the inetutils upstream maintainers, recently adopted the netkit-telnet source package in Debian, which he'd
prefer to keep around for a smoother transition period, in case users
want or need to revert back.



So, the idea would be for src:inetutils to take over the telnet and
telnetd binary packages and make them transitional packages depending
on the inetutils variants, for a smooth upgrade, and in addition also
start providing them by the inetutils-<name> packages.

The src:netkit-telnet would then switch to ship netkit-telnet and netkit-telnetd binary packages (this would ideally be uploaded to
experimental first, so that once ACCEPTED it can be uploaded to sid
once we start the switch, with no missing implementation in between).

I'm inclined to do it in this order to potentially avoid two trips over
NEW, and to reduce any potential disruption period.

In the future (after the next stable release) the telnet/telnetd
packages could be switched to be pure virtual packages, taking the role
of denoting the current default implementation, instead of introducing default-<foo> variants, as that's what users are currently used to, and
it would keep working even if the depending packages below do not update
their dependencies.

We'd file an override request against ftp.debian.org to get the inetutils-telnet Priority bumped to standard to match the current
telnet package (which could get then its Priority lowered to optional).

Currently inetutils and netkit have the same alternative priority
for telnet, I'd probably bump it also to 150 for inetutils to take
precedence.


If there are no objections, we could probably start working on this
switch in a couple of weeks or so.



List of packages depending on telnet (but not telnet-client):

forensics-extra (Depends)
lava (Depends)
live-task-standard (Depends)
mininet (Depends)
vland (Depends)
zssh (Depends)

dish (Recommends against all current implementations)
lava-dev (Recommends)
lava-dispatcher (Recommends)
live-task-extra (Recommends)
pdudaemon (Recommends)

libtelnet-dev (Suggests)
libtelnet-utils (Suggests)
procserv (Suggests)
ser2net (Suggests)
tucnak (Suggests)

List of packages depending on telnetd (but not telnet-server):

telnetd-ssl (Conflicts)
nyancat-server (Conflicts)


Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Jul 16, 2022 at 10:19 PM Guillem Jover <[email protected]> wrote:

Hi!

There's been talk about switching away from netkit-telnet and
netkit-telnetd as the default implementations for some time now,
and replacing them with the ones from inetutils, which is a maintained project and does see releases (even though with a long cadence).

This has been discussed somehow in #982253 and #987729.

These packages currently use a pair of virtual packages to denote
that they are a telnet or telnetd implementation (telnet-client and telnet-server). One problem is that currently the netkit implementations
use the generic telnet and telnetd package names, which is a clear way
to mark them as the default implementations (instead of say the other convention of naming or providing a default-foo package). Another is
that several packages depend on these generic names instead of the
virtual packages, see below for a list that would deserve a non-blocking "mass" bug filing, which I can handle as part of the switch.

The inetutils-telnet recently got support for the missing «-b» option
for compatibility with netkit-telnet.

The inetutils-telnetd and netkit-telnetd have diverging options and some conflicting ones, but after pondering about it I don't think this should
be a major issue, as the daemon does not tend to get called by users from scripts and similar. For completeness the divergences are these:

inetutils-telnetd netkit-telnetd
----------------- --------------
short and long options short options
<missing> -D (unimplemented «exercise» mode)
-D (debug modes «auth», «encr») -edebug
-S, --server-principal -S (used to set the IP TOS)
-E, --exec-login -L
-l, --linemode <missing>
-U, --reverse-lookup -N (related but not exactly the same)

Simon Josefsson (CCed), who is one of the inetutils upstream maintainers, recently adopted the netkit-telnet source package in Debian, which he'd prefer to keep around for a smoother transition period, in case users
want or need to revert back.

So, the idea would be for src:inetutils to take over the telnet and
telnetd binary packages and make them transitional packages depending
on the inetutils variants, for a smooth upgrade, and in addition also
start providing them by the inetutils-<name> packages.

The src:netkit-telnet would then switch to ship netkit-telnet and netkit-telnetd binary packages (this would ideally be uploaded to experimental first, so that once ACCEPTED it can be uploaded to sid
once we start the switch, with no missing implementation in between).

I'm inclined to do it in this order to potentially avoid two trips over
NEW, and to reduce any potential disruption period.

In the future (after the next stable release) the telnet/telnetd
packages could be switched to be pure virtual packages, taking the role
of denoting the current default implementation, instead of introducing default-<foo> variants, as that's what users are currently used to, and
it would keep working even if the depending packages below do not update their dependencies.

We'd file an override request against ftp.debian.org to get the inetutils-telnet Priority bumped to standard to match the current
telnet package (which could get then its Priority lowered to optional).

Currently inetutils and netkit have the same alternative priority
for telnet, I'd probably bump it also to 150 for inetutils to take precedence.

If there are no objections, we could probably start working on this
switch in a couple of weeks or so.

List of packages depending on telnet (but not telnet-client):

forensics-extra (Depends)
lava (Depends)
live-task-standard (Depends)
mininet (Depends)
vland (Depends)
zssh (Depends)

dish (Recommends against all current implementations)
lava-dev (Recommends)
lava-dispatcher (Recommends)
live-task-extra (Recommends)
pdudaemon (Recommends)

libtelnet-dev (Suggests)
libtelnet-utils (Suggests)
procserv (Suggests)
ser2net (Suggests)
tucnak (Suggests)

List of packages depending on telnetd (but not telnet-server):

telnetd-ssl (Conflicts)
nyancat-server (Conflicts)

Thanks,
Guillem

Telnet is old, insecure and should not be used any more. What is the point

of packaging a Telnet daemon when everyone should be using SSH. Telnet
Client I can see because a person may need to connect to a router or switch that is still using telnet or hasn't had SSH Certificates generated yet.

--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀

<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jul 16, 2022 at 10:19 PM Guillem Jover &lt;<a href="mailto:[email protected]">[email protected]</a>&gt; wrote:<br></div><blockquote class="
gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi!<br>

There&#39;s been talk about switching away from netkit-telnet and<br> netkit-telnetd as the default implementations for some time now,<br>
and replacing them with the ones from inetutils, which is a maintained<br> project and does see releases (even though with a long cadence).<br>

This has been discussed somehow in #982253 and #987729.<br>

These packages currently use a pair of virtual packages to denote<br>
that they are a telnet or telnetd implementation (telnet-client a

On 2022-07-17 01:49:53 -0400 (-0400), Timothy M Butterworth wrote:
[...]

Telnet is old, insecure and should not be used any more. What is
the point of packaging a Telnet daemon when everyone should be
using SSH. Telnet Client I can see because a person may need to
connect to a router or switch that is still using telnet or hasn't
had SSH Certificates generated yet.

My personal interest in Telnet clients is that MUDs (multi-user
network text games/worlds) are still primarily designed as Telnet
servers, albeit with varying degrees of support for the many
extensions to the protocol which have become somewhat standard over
the years. Clean libraries capable of reliably implementing an sshd
for this purpose are a relatively recent thing, so I expect to see
some MUDS appear with options for SSH protocol connections (and I've
been noodling on ideas in that vein), but for now pretty much
everything in that space is either Telnet based or entirely bespoke.

Inetutils seems to only support the RFC 2946 "encrypt" extension,
but some Telnet servers and clients include direct support for
wrapping with SSL/TLS socket encryption (Netkit does) or
implementing Jeffrey Altman's START-TLS draft proposal. Since
authentication is generally handled independently of the daemon, it
can work with a variety of single or multi-factor authentication
backends including certificates, one-time-passwords, and so on.

Also, if you're going to provide a Telnet client, it makes sense to
include at least a reference implementation of a Telnet server in
order to be able to validate its functionality.
--
Jeremy Stanley

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmLT/zpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCm49xAAgcfCwuBSz325CRbj/K/mcOqQQC+L8b0XbbyKwvOfHZV9sXwqPQSyOyjH tAi6oHl1lBSot17kBFSxjz03TWnStjjVYDlpvDcRH0/9a3VQhSeAkfmgok9OBqrv GcTh7WvgXHK7XDMikEszY62VGMrGAEY3KoBDs6pchjoRvhK32o8+iSmrgSfOU2Iz g21G7ndx5N7k6kxDf6vwEkotSWZvgoRthp1jY/miPR+F9+9QOw8u8+q6aTu96A7q MM0b9tKfJEA4mQeEqeEtbtwoQNaA/uHAOyfrhw48P91cn7eVz1tBeM+XawSa51sz lO1qa4mMAvO5/HfYDky11jbo9929O8QNA5If7j9P+xo19hHRHkHm+ZDpLuMvXrGi SGo4v9/ccWYuJnashfYTzGncyozkaDrPLb9C2m6KgK5j6y9O3qkg4YuZUudCnHZZ EaxxbgwqqZ0zJ6zrbVlnZ7PtiLJgwbZAWCsR1elcr3PZbtF2tl3x8jBggmD1wYP9 w0HVDReZuZ7vY77hticCFzdDcoNBk9sHaL1NNIXD4BJvUwvu53w8AIpw7tbj2IZ+ 3BlyC6p6j7vYLuYSJzBnwVxtM/wCqukJjJxn3yYLK2KvulJaG2GK28p45JRQ0r+N jO8E4ASbfHJgt84KaZJ6IkHbxqIa2V06UptBZM2JtqFzdxwGCCQ=
=cbdX
-----END PGP SIGNATURE-----

--- SoupGate-Win32

On Sun, Jul 17, 2022 at 01:49:53AM -0400, Timothy M Butterworth wrote:

Telnet is old, insecure and should not be used any more. What is the point of >packaging a Telnet daemon when everyone should be using SSH. Telnet Client I >can see because a person may need to connect to a router or switch that is >still using telnet or hasn't had SSH Certificates generated yet.

I personally use telnet to connect to systems whose ssh implementations
are old enough that they are no longer interoperable with current ssh.
Every system will eventually become an old system, and telnet has a much
better record of working over the long term than does ssh. Security
concerns have a place in determining defaults, but not in banning
software that other people find useful in a context that might not
matter to you.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19.07.22 16:05, Michael Stone wrote:

On Sun, Jul 17, 2022 at 01:49:53AM -0400, Timothy M Butterworth wrote:

Telnet is old, insecure and should not be used any more. What is the
point of
packaging a Telnet daemon when everyone should be using SSH. Telnet
Client I
can see because a person may need to connect to a router or switch
that is
still using telnet or hasn't had SSH Certificates generated yet.

I personally use telnet to connect to systems whose ssh implementations
are old enough that they are no longer interoperable with current ssh.
Every system will eventually become an old system, and telnet has a much better record of working over the long term than does ssh. Security
concerns have a place in determining defaults, but not in banning
software that other people find useful in a context that might not
matter to you.

I found the client-side very tolerant of ancient server-side
implementations when the right kinds of switches are passed to it (e.g. KexAlgorithms and HostKeyAlgorithms). I have yet to be unable to
actually connect to a target - even if it means fiddling increasingly
with flags.

Kind regards
Philipp Kern

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2022-07-19 20:15:49 +0200 (+0200), Philipp Kern wrote:
[...]

I found the client-side very tolerant of ancient server-side
implementations when the right kinds of switches are passed to it
(e.g. KexAlgorithms and HostKeyAlgorithms). I have yet to be
unable to actually connect to a target - even if it means fiddling increasingly with flags.

This is getting increasingly off-topic, but you're able to get a
modern SSH client to successfully connect to an old device which
only speaks SSHv1 protocol?
--
Jeremy Stanley

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmLW+opfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCmpwg//ezULhXys0eR3/ktCqhjnXxb55K88EipL8ovDuT1UWqzq+Cwb5lvEpl9N BiOn/2J5JqiNynoC37lIlePyqOmcb+vgnDeZIRS5p1fkfjPVETogfhckP1HTYL5k rdxc3gs1Suve7gPqJomnUlzHF4UQJMgkYl+/qopVfNAHBa8UtYXbfl46a125zf7r zWGc5cfCnXlfYvbDvjZ0nCPCxN1y7STNPoGgX6PNRfrwxyDILRZYnYKNDNYslG8o nTFcGgiXHWOmlPkE9eqaiaIOR19I+tyZ5Pvy4Jy+55ogBjPmJ3TyjgTQzGeQADyG 80tSNqluhblmjIIbj89qbimjFQHDcg4tsf4rd8twfdPq+vZkoI9PkxNUrmjuvLFU 0YVziFqU8d33F1TyV9TgmD4TweyVzO3Mvzyik1bvMMPouflZcSRSP2Voi/uHOP3j k/CL6hHl/3C9idAKuP1Wdy9q9tKh7Agbw0SQARD0Ht7LrvBRW5InWWi2arq2cprG 3XcIIPdGF1G7yViCzN8BOXmuoqes6NBiWAiPN1BLMicKN0jByEsNuG9OMMymCd9A DIhD3JgVM9IJTJTgO+V/X4/BMeWfMAF54c/JwvGLmmmYh10XPIpvrPp5uCZmwy7d 5R6FK3Fh5Zj2d2jzZiUybCUr82pSb5yZrMd3QNbQeuKhla9O5Hs=
=/uv4
-----END PGP SIGNATURE-----

--- SoupGate-Win32

Jeremy Stanley <[email protected]> writes:
...

This is getting increasingly off-topic, but you're able to get a
modern SSH client to successfully connect to an old device which
only speaks SSHv1 protocol?

There is: openssh-client-ssh1

https://tracker.debian.org/pkg/openssh-ssh1

Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd.
|-| http://www.hands.com/ http://ftp.uk.debian.org/
|(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3/FBWs4yJ/zyBwfW0EujoAEl1cAFAmLXHnoACgkQ0EujoAEl 1cDwpA//TekHEHTEWx1WWzm/D+kGZutvy8GAKHPWWxi+BorYUzZwUXI1G6vNDtgA de8UCx/eeg25HyD4SPqblbhcQtL3m0sVK5rHCfu8fyDp1aYxV8dU01+Cu3n82Pjm 3UGbIQOV2BiPpAroe1ff+5q1P4m6op1KIcVYpwx+OJAuX1t8u+761QgVGFZB6kTj LptED2mAPfHEqdIHdCfJa/KTSS6Sb/8PId08seWG5V2ZPEAYmNpDhecoTDnZt5SZ iDNwdAC8olinrUb5LIKehH9MzphsmxoAsQ1zeUYlfIHBwS7MafMU2HpyLytrbiqC KVzamc6nJR3mEKx71pMfq6yWQW2BjhBL7bCHZbr1Idq4bvsem5qYye4rw3Dg50yh zj+yhjM7b5IE4/sI9bdQuhPEnrktQdfA8rBgl6AvaNgAF1DedmC151sJiYvGw35S ML7o2cO2y1e0aKDw7xgBVQe0uuRCNpdAXoy1hzKdYUV/VFeK5/2E1SWxG6AJ0OlL NO7KWm0RaUJoEMpE0UxLGy/mE8xE3GK7Pt0aEu4CqOA9BosDnemt/sqb2GsUefBw 1JR4xgjlEI6B9w1YRCxMl7nQlzOkX3sVfMDqY5HnjTgHG+heLvy7GiCWJLPPN+e6 Haz/TYILz93Qdc3

"Guillem" == Guillem Jover <[email protected]> writes:

Guillem> Hi! There's been talk about switching away from
Guillem> netkit-telnet and netkit-telnetd as the default
Guillem> implementations for some time now, and replacing them with
Guillem> the ones from inetutils, which is a maintained project and
Guillem> does see releases (even though with a long cadence).

I've reviewed your plan. Over the years I've maintained a telnet
upstream so I have some familiarity with the space even though I am no
longer involved in the telnet server universe.
I think your plan makes sense and I support it.

I definitely think Debian should still have a telnet server, although it
is very much a niche application

Thanks Guillem and Simon for your work on this!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Jul 19, 2022 at 05:43:35PM -0600, Sam Hartman wrote:

"Guillem" == Guillem Jover <[email protected]> writes:

Guillem> Hi! There's been talk about switching away from
Guillem> netkit-telnet and netkit-telnetd as the default
Guillem> implementations for some time now, and replacing them with

I've reviewed your plan. Over the years I've maintained a telnet
upstream so I have some familiarity with the space even though I am no
longer involved in the telnet server universe.

I definitely think Debian should still have a telnet server, although it
is very much a niche application

Available in the archive yes, installed by default no way.
That makes this current thread mostly moot, as when not installed by
default (or a metapackage) you don't need any particular implementation
to be blessed.


Meow!
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Loongarch's name is loong.
⢿⡄⠘⠷⠚⠋⠀
⠈⠳⣄⠀⠀⠀⠀

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jul 20, 2022 at 05:15:07PM +0200, Adam Borowski wrote:

Available in the archive yes, installed by default no way.
That makes this current thread mostly moot, as when not installed by
default (or a metapackage) you don't need any particular implementation
to be blessed.

I think the original email outlined why dicussion was necessary:
determining which source package provides the "telnet" and "telnetd"
packages. Regardless of whether they're installed by default, changing
the implementation behind a binary package does warrant
notice/discussion.

This got derailed by additional commentary about whether they deserve to
exist at all, but that's incidental to the original question. (For
which, I think, there has been consensus.)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi!

On Sun, 2022-07-17 at 04:18:59 +0200, Guillem Jover wrote:

There's been talk about switching away from netkit-telnet and
netkit-telnetd as the default implementations for some time now,
and replacing them with the ones from inetutils, which is a maintained project and does see releases (even though with a long cadence).

Ok, so given the comments, we'll be starting with the outlined plan.

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi!

On Sun, 2022-07-17 at 04:18:59 +0200, Guillem Jover wrote:

There's been talk about switching away from netkit-telnet and
netkit-telnetd as the default implementations for some time now,
and replacing them with the ones from inetutils, which is a maintained project and does see releases (even though with a long cadence).

The described plan is implemented and all done:

- Upload of inetutils taking over the packages and updating
alternative priority.
- Upload of netkit-telnet renaming the packages.
- Migration of inetutils to testing.
- Overrides update request filed and applied.
- Bugs files for the direct telnet/telnetd usage:
<https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=guillem%40debian.org&tag=inetutils-default-telnet-switch>
<https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=guillem%40debian.org&tag=inetutils-default-telnetd-switch>

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)