security issues wrt telnet? about remotekeyboard HOT 6 CLOSED

Am Donnerstag, den 22.08.2013, 08:29 -0700 schrieb landroni:

I'm no security expert, but I vaguely remember reading that installing
a telnet client on a Linux system represents a serious security issue.
Are there potential security issues when installing remotekeyboard on
Android?

Thanks!

—
Reply to this email directly or view it on GitHub.

Hi,
installing a telnet client is perfectly safe, installing a server is not
nescessarily dangerous in itself. The problem lies with the telnet
protocol which sends all its data unencrypted over the line and hence is
prone to eavesdropping and man-in-the-middle attacks.

As for potential security risks with Remote Keyboard:
RK will listen on port 2323 of all network interfaces (including the 3G
interface). I suggest setting a password and/or using an app like
Droidwall to limit RK to WIFI only if you are using a device with a 3G
modem. Only enter sensitive data (e.g. passwords) on trusted WIFI
networks. If in doubt, fall back on an on-screen keyboard. The best way
to use RK, however, is by using ADB to forward your network connection
via USB. That way your communication is not only secure, but you will
also not have to worry about battery drain.

Further worth mentioning:

• RK will always only accept one connection. So while you are connected,
  nobody else can.
• If someone else manages to connect to your device, the worst they can
  do is type blindly. You cannot request data from the client.

Hope that answers your questions.

from remotekeyboard.

Thank you so much for this exhaustive answer. I think it's definitely worth including the answer as-is in the FAQ.

While we're at general questions, is there a good reason to use telnet instead of ssh? Wouldn't ssh allow to achieve the same functionality, but provide more security?

from remotekeyboard.

Am Mittwoch, den 28.08.2013, 12:25 -0700 schrieb landroni:

Thank you so much for this exhaustive answer. I think it's definitely
worth including the answer as-is in the FAQ.

While we're at general questions, is there a good reason to use telnet
instead of ssh? Wouldn't ssh allow to achieve the same functionality,
but provide more security?

From a security point of view, SSH is most definitely better than
telnet. The main problem simply is that I couldn't find a suitable Java
SSH server implementation (there is Apache Mina, but it is poorly
documentated) and the general advice in the security community is: DON'T
implement crypto stuff yourself. It's also worth mentioning that telnet,
unlike SSH is available on every OS and that SSH takes a bit longer to
connect and is a bit more difficult to setup due to the whole key
exchanging business.

All in all, it boild down to: if security is of concern to you, no
cryptography beats the privacy of a dedicated USB cable.

from remotekeyboard.

Personally, I'd prefer that this app remain focused on just what it does -- act as a remote keyboard server. If you want secure authentication, "there's an app for that".

I've installed an SSH server from icecoldapps. Relying on the fact that Remote Keyboard binds to ALL network interfaces, including "localhost", from a terminal on my workstation, I simply run:

ssh -fNT -L2323:localhost:2323 username@nexus10

This makes a background SSH connection that uses port forwarding (-L) to open a tunnel to the Remote Keyboard server running on port 2323 on "localhost" on the Android device. Then from my workstation, I run:

telnet localhost 2323

and presto! I'm connected to the remote keyboard through the SSH tunnel.

What I'd like to see now is an option for Remote Keyboard to bind ONLY to localhost, so that I can leave it passwordless and rely on SSH for authentication. Or even better, enforce the localhost binding when no password is set.

from remotekeyboard.

Am Donnerstag, den 14.08.2014, 09:31 -0700 schrieb Paul Chvostek:

Personally, I'd prefer that this app remain focused on just what it
does -- act as a remote keyboard server. If you want secure
authentication, "there's an app for that".

I've installed an SSH server from icecoldapps 1. Relying on the fact
that Remote Keyboard binds to ALL network interfaces, including
"localhost", from a terminal on my workstation, I simply run:

ssh -fNT -L2323:localhost:2323 username@nexus10

This makes a background SSH connection that uses port forwarding (-L)
to open a tunnel to the Remote Keyboard server running on port 2323 on
"localhost" on the Android device. Then from my workstation, I run:

telnet localhost 2323

and presto! I'm connected to the remote keyboard through the SSH
tunnel.

What I'd like to see now is an option for Remote Keyboard to bind ONLY
to Localhost, so that I can leave it passwordless and rely on SSH for
authentication. Or even better, enforce the localhost binding when no
password is set.

—
Reply to this email directly or view it on GitHub.

Yeah, definitely should do that. I have been meaning to rewrite the
entire telnet stack, but so far, had no time to do it.

from remotekeyboard.

@chvostek Great idea. I wrote a script for that: https://github.com/ypid/scripts/blob/master/remotekeyboard-login

It sets up a ssh Port forwording, connects via telnet and enters the password …
Maybe it will be useful for somebody.

The script could also be used to support: Local echo

from remotekeyboard.