Windows CE – Telnet/Remote Shell

I’d be interested in your feedback on the following question…

Windows CE supports a Telnet server (SYSGEN_TELNETD) which can be password protected, the only problem with Telnet is that the username and password are sent as clear text, so Telnet isn’t secure (anything that requires clear text username and password isn’t secure).

If you’re building/developing a device then Telnet could be useful during the development/debugging phase – John Spaith (blogs on the CE networking blog) talked about configuring Telnet on a development platform and how to disable authentication (if you’re in the corporate network, and developing/debugging a system then why would you need authentication on the system?).

So, here’s the question…

If you have a shipping/retail (not debug) device out in the field would you want to be able to secure remote shell (like SSH) into the device? – and if so, what would you use the shell for?

End users could use the Remote Administration (SYSGEN_REMOTECONFIG_FRAMEWORK) UI which is exposed through the HTTP Web Server (SYSGEN_HTTPD) [why do the Telnet and Web Server components have a ‘D’ on the end of the SYSGEN variable?] – the framework is extensible, so you could add your own remote config pages onto the framework (Chris Gray did an excellent job on the framework!).

So, let me know your thoughts on having a secure remote shell on Windows CE…

– Mike

Comments (8)

  1. Joshua Blake says:

    Mike, Happy New Year! Regarding the ‘D’ at the end of httpd and telnetd — this is a holdover from UNIX times. Background processes or services were called daemons, so HTTPD = HyperText Transfer Protocol Daemon, and TelnetD = Telnet Daemon, which stayed around doing their own specific jobs. Of course, in Windows they’re typically called services now. I would imagine keeping the D in SYSGEN or other internals would be useful because SYSGEN_HTTP without a D might indicate that it should include the HTTP protocol itself, but SYSGEN_HTTPD disambiguates the HTTP server. Entymology of the word Daemon:

    Hope this helps!

  2. mikehall says:

    Happy New Year Joshua (and everyone else!) – ah, yes, HTTP’D’aemon, Duh! I should have figured that out. Thanks for pointing that out, it’s been bugging me for a while <g>

    – Mike

  3. Sean McLeod says:

    Another option is to include the VPN server component and then you can run insecure authentication protocols like those used by telnet via the VPN connection.

  4. KJK::Hyperion says:

    What Sean said. The *real* good about ssh is tunneling, the actual "shell" part is just a glorified telnet. So either an ssh server, or, much better, a VPN server, possibly one that requires a single port open and runs at the application layer (like OpenVPN and unlike PPTP). And a pony

  5. Oskar Berreteaga says:

    I’d be very happy to have SSH. So, we could safely start/stop some services, ftp for instance, that usually aren’t running.

    Also, we could run some apps for certain tasks (eg, maintenance) that aren’t exposed thru standard interfaces.

  6. John Spraul says:

    No one is going to be upset to have SSH as an option. Anyone with a use for telnet would have those same uses for SSH, and would appreciate the additional security. One option which may be less work to implement, though less supported by standard terminal clients, is Telnet + SSL.

  7. Allan Baril says:

    I’m currently evaluating WinCE for use in our future products. SSH would definitely be beneficial to us.

    Our current devices offer an AT command prompt on the serial port (i.e. similar to a standard modem) which users can use to configure their device and can get debugging information from the unit. Obviously with SSH, we could then safely provide this AT mechanism remotely. The tunneling aspect of SSH could also be of use to us.

  8. Eric Kamont says:

    Hey Mike – great to see you at CES.

    To answer your question – I’m working with a bunch of Retail customers, some of whom are using CE 4.2/5.0. In those scenarios, the folks providing support are using SSH in all the other technologies other then CE. For them, a SSH implemtation on CE would be beneficial from a support and learning experience.