We're bringin' finger back!

It's a lively time in the pubnix scene! Things in circumlunar space

are developing rapidly. See recent posts by slugmax[1,2] and

visiblink[3] for updates on the Republic colony and our new XMPP

server. Federation between the Zaibatsu and Republic is working

smoothly, with email, IRC and BBS joining the two into a single user

community, as was always the plan. We are also now exchanging email

with other pubnix hosts, tying ourselves into the wider pubnixverse

according to my two-tier structure philosophy[4]. It's an exciting

time. Welcome to all the new sundogs at the Republic!

This post is about another project to join all pubnixes together,

which some of you may be aware of. The title says it all, really.

We're bringin finger back!

Yes, that's right finger, of RFC742.

If you're a sysadmin-type, you possibly just broke out into a cold

sweat. Finger seems to have a terrible reputation online these days

with regards to security. Worse even than telnet, perhaps. I have

read comments to the effect of "nobody who cares about security runs a

fingerd" or "you're brave to run a fingerd in this day and age!". I

honestly believe that in the context of a public access unix server

this attitude doesn't make a lot of sense, but before I elaborate on

this, a quick overview "for those who came in late".

Finger is a very simple TCP protocol assigned well-known port 79. The

gist of it is that you connect to a remote host, send a username

followed by CRLF, and the remote host sends you back some information

about that user and closes the connection. It's gopher-like in its

simplicity. When I say "some information", I mean the contents of

your GECOS field (the weird ancient personal metadata enshrined in the

/etc/passwd file since the earliest days of Unix, which tells your

full name, building, room number, and telephone numbers - if you opted

to enter them when creating your account, of course) as well as the

contents of some files in your home directory - ~/.project, which, by

convention, was a relatively static file explaining what it was you

worked on, in general, and ~/.plan, which was updated more frequently

(perhaps at the start of each week) with more finegrained information,

including details on where/when/how to find/contact you. All of this

obviously harks back to the days when multi-user unix deployments were

invariable at universities or the research department of large

companies. It was basically a kind of distributed staff directory.

If you're near a shell right now, you can finger yourself (ahem) by

simply typing e.g. finger solderpunk to see the kind of thing we're

talking about. On your local machine, it's very likely you'll see

somewhere in the output "No plan", because ~/.plan files nowadays are

pretty rare.

Why would people freak out about running fingerd? I think a little

bit of the hysteria comes from the fact that fingerd was one of the

exploited pieces of software used to facilitate the spread of the

infamous Morris Worm[5], back in the day. This is irrational - that

attack was not based on some kind of protocol-level weakness in

finger, but rather on a buffer overflow vulnerability in a common

implementation of the time which, believe it or not, has been patched

since the late 80s. At the end of the day, what fingerd mostly does

is to accept a single query line over TCP, reads some files in a

user's home directory, and send the contents of those files back to

the client. If it's possible to write a secure HTTP server, it's

possible to write a secure finger server. In fact, it's easier to

write a secure finger server as a simple consequence of the protocol

being far simpler than HTTP.

The second and somewhat more valid concern is that some versions of

fingerd will respond to an empty query line (just a CRLF over the wire

and that's it) with a list of all the system's users, which some would

argue could then be used to help attack the system. If you've ever

run an sshd on the public internet and looked at your logs, you'll

know that brute force attacks are a fact of life, and many of them use

common firstnames as usernames. Running a fingerd that basically

hands out valid usernames arguably makes such brute force attacks

easier.

Is this a practical threat to, say, the Zaibatsu? No. For one

thing, password authenatication for ssh sessions is not allowed. It's

private key or bust, and 1024-bit or longer keys are not practically

brute forcable, not by a long shot. It doesn't matter if somebody

knows a valid username, if they don't have that persons' key they are

not getting in. There are no other network services running which

require a username. One might argue that knowing a username is still

of value to an attacker, e.g. if they find a vulnerability in

gophernicus or the git server or something else we're running, knowing

a username might be of some value in exploiting that. But this brings

me by next point, which is that fingerd or no the list of usernames at

the Zaibatsu is not a secret. They are literally all spelled out on

the main gopher page, right there. This is also true at SDF, Grex and

pretty much any other multi-user gopher host. It's true of just about

any pubnix, even ones which don't offer gopher hosting - you can

probably harvest usernames from the URLs of user pages at pubnixes

which offer webhosting. Hiding usernames is counter-productive to the

mission of a pubnix, so shying away from running fingerd for this

reason makes no sense.

The one legitimate reason I can think of to consider running fingerd

scarier than running httpd is related to the privacy of your users.

It's not a problem that standard fingerd implementations share GECOS

information or .project and .plan - those are under the direct control

of the user, so people can share as little or as much as they like (I

don't think any user at the Zaibatsu has put their real name in

their GECOS field). However, standard implementations also indicate

whether or not a user is logged in or not, and if not when they last

were, including, crucially, the IP address they (last) logged in from.

• That* is a huge no-no in this day and age. Combined with reverse DNS

lookups and GeoIP location, this information can go a long way toward

de-anononymising a pubnix user, in extreme cases facilitating doxing,

SWATting and other very unpleasant occurences.

Of course, we don't have to stick with standard fingerd

implementations. Writing a fingerd is trivial, and there are third

party options out there which offer some customsiability. One of

them, efingerd, is in use now at the Zaibatsu, at cosmic.voyage and at

baud.baby, and offers complete control over finger output. The

sysadmin can write a default script to generate finger output, and

individual users can override this for their own username if they

want. This makes it possible to avoid IP address leakage, which is a

good thing.

Assuming we plug that little hole, and limit finger to sharing GECOS,

~/.project, ~/.plan and other things under direct user control, what

do we have in finger? An IETF-standardised, decentralised network for

publishing plain-text personal metadata - a crude, extensible, open

social network that works from the command line using software which

is already installed on or easily available for 99% of *nixes. That's

kind of exciting, right? The obvious modern adaptations of ~/.project

and ~/.plan are to use ~/.project as a "profile page" and ~/.plan as a

"status update" or, if you like, a "blog post". This is not at all

without precedent. From the mid-90s through 2010, ID Software

programmer turned private rocketeer John Carmack famously used his

.plan file as, essentially, a blog. They are archived on github for

the curious[6].

The pubnix environment is the natural place to stage a modern day

revival of finger as a minimal text-only social network without any of

the nasty features of the "real" ones. The tools are already there.

The interface is a bit clunky, though. Having to type `finger

tomasino@cosmic.voyage, and then finger cat@baud.baby`, and so on,

checking your "timeline" manually is a huge pain in the ass.

So it's a good thing I've written a tool called fellowsh to solve

this problem. It's fellowsh as in "fellowship shell", which is a

reference to a nice quote from Unix inventor Dennis Ritchie:

What we wanted to preserve was not just a good environment in

which to do programming, but a system around which fellowship could

form.

fellowsh is written in Lua so it's nice and light, and it basically

combines or provides an interface to a whole bunch of traditional unix

"social tools", like finger, last, talk, who and write. It

shows you the username, login status, local time and current .plan of

all the users in a list, which by default is all local users on the

system, but you can ignore some local users and you can add remote

users, to build up something like a "friends list", which is ordered

top-to-bottom by most recently logged in. You can "refresh" the list

and it will do all the remote fingering to update people's plans. In

the case of local users, you can also list their currently running

processes or launch a talk or write session.

Remote users are right now "second class citizens" in a sense, because

fellowsh has no way to directly access information like whether or not

they are currently logged in or if not when they last were. It will

extract that information from finger output if the remote user's

fingerd provides it, but right now, this is rare. It works with

grex.org users, and with Zaibatsu users (our fingerd publishes

login/logout status and times without IP addresses), but that's

about it. But if this thing takes off, and the community develops

standards for what sort of information to include in finger output and

what format to include it it, fellowsh and other tools could treat

remote and local users more or less identically.

If you'd like to experiment with fellowsh, like all software developed

at the Zaibatsu it has a gopher page[7] with instructions on how to

clone the repo and a link to download a .zip of the current repo

contents without even leaving your gopher client! It requries the

luafilesystem, penlight and luatz libraries, which are all available

through luarocks. If you have any problems at all, let me know. If

you run, or are thinking of running, a pubnix server, consider

installing a modern fingerd which gives you control over the output so

your users can participate in this experiment. If you're on a pubnix

and you'd like to participate, show this phlog post to your admin(s)!

If you're on cosmic.voyage, you're in luck because efingerd and

fellowsh are both already installed there. Fire up your editor and

make a .plan!

[1] gopher://zaibatsu.circumlunar.space:70/1/~slugmax/cgi-bin/slerm?republic-new-users-update.post

[2] gopher://zaibatsu.circumlunar.space:70/1/~slugmax/cgi-bin/slerm?more-republic-updates.post

[3] gopher://zaibatsu.circumlunar.space:70/0/~visiblink/phlog/20181230

[4] gopher://zaibatsu.circumlunar.space:70/0/~solderpunk/phlog/micro-pubnixes-local-flavour-and-two-tier-structure.txt

[5] https://en.wikipedia.org/wiki/Morris_worm

[6] https://github.com/oliverbenns/john-carmack-plan

[7] gopher://zaibatsu.circumlunar.space:70/1/software/fellowsh