pak@heifer.eng.ufl.edu (Philip A. Kufeldt) (01/23/91)
Can I get any help with regards to the existance or non existance of various kerberized bsd clients and servers. For example, is ther a kerberos verion of ftp, ftpd, telnet, telnetd, rexecd, etc.... Any assistance would be greatly appreciated. Thanks in advance. pak Engineering Computing Services University of Florida
tytso@ATHENA.MIT.EDU (Theodore Ts'o) (01/23/91)
Date: 22 Jan 91 18:12:36 GMT From: pak@heifer.eng.ufl.edu (Philip A. Kufeldt) Can I get any help with regards to the existance or non existance of various kerberized bsd clients and servers. For example, is ther a kerberos verion of ftp, ftpd, telnet, telnetd, rexecd, etc.... Any assistance would be greatly appreciated. Thanks in advance. There are Kerberized versions of tftp and the Berkley rcmd suite (rlogin, rcp, etc.) available with Kerberos version four. You can obtain it via anonymous FTP to athena-dist.mit.edu (18.71.0.38). Kerberos version five will also have Kerberized telnet and ftp available; however, it is not yet available for general distribution. - Ted
john@iastate.edu (Hascall John Paul) (01/23/91)
In article <1991Jan22.181236.19585@eng.ufl.edu> pak@heifer.eng.ufl.edu (Philip A. Kufeldt) writes: }Can I get any help with regards to the existance or non existance of } various kerberized bsd clients and servers. For example, is ther a } kerberos verion of ftp, ftpd, telnet, telnetd, rexecd, etc.... Telnet just uses /bin/login, so if that is kerberized then so is telnet. I suppose a new telnet option to pass authentication data would be an interesting idea... I have modified our ftp[d] to do appropriate kerberos/hesiod/attach things, but it is based on Ultrix source so I can't really send the source to you (I could send my additions if you also have source of some sort). John Hascall (john@iastate.edu) -- John Hascall An ill-chosen word is the fool's messenger. Project Vincent Iowa State University Computation Center john@iastate.edu Ames, IA 50011 (515) 294-9551
jon@MIT.EDU (Jon A. Rochlis) (01/24/91)
Telnet just uses /bin/login, so if that is kerberized then so is
telnet.
No, no, no. If you just get login then you will still be typing a
password in the clear. You need to change telnetd/rlogind to decode a
kerberos ticket, check authorization and call a modified login which
won't then ask for a password.
MIT distributes a modified rlogin(d) and login with the standard
Kerberos distribution. It's been there as long as we have been giving
away Kerberos.
If you are just talking about getting tickets when one logs in, then login
can indeed be usually modified to do this, but that was not the
original question (I think).
I suppose a new telnet option to pass authentication data
would be an interesting idea...
We have a telnet/telnetd that works with V4 and V5 and which may well
be distributed as part of 4.4BSD and V5 Kerberos. It has come out of
some IETF work done on authentication and encryption in telnet.
-- Jonalan@essex.ac.uk [Alan M Stanier] (01/29/91)
Also sprach tytso@ATHENA.MIT.EDU }There are Kerberized versions of tftp and the Berkley rcmd suite }(rlogin, rcp, etc.) available with Kerberos version four. You can }obtain it via anonymous FTP to athena-dist.mit.edu (18.71.0.38). } }Kerberos version five will also have Kerberized telnet and ftp }available; however, it is not yet available for general distribution. } } - Ted In the Index to athena-dist.mit.edu, it says NOTE: Due to export restrictions, you may not retrieve this code unless you are within The United States of America. I guess this is because it contains the des code? Is there a version that we can retrieve? -- Alan M Stanier | tel +44 206-872153 | Carpocratian Heretic and alan@essex.ac.uk | fax +44 206-860585 | Oral Gratification Specialist
john@IASTATE.EDU (Hascall John Paul) (01/30/91)
In article <1991Jan23.054126.22458@news.iastate.edu>, john@iastate.edu (Hascall John Paul) writes: > In article <1991Jan22.181236.19585@eng.ufl.edu> pak@heifer.eng.ufl.edu (Philip A. Kufeldt) writes: > }Can I get any help with regards to the existance or non existance of > } various kerberized bsd clients and servers. For example, is ther a > } kerberos verion of ftp, ftpd, telnet, telnetd, rexecd, etc.... > would be an interesting idea... I have modified our ftp[d] to > do appropriate kerberos/hesiod/attach things, but it is based on > Ultrix source so I can't really send the source to you (I could > send my additions if you also have source of some sort). I have received several requests for these, so when things calm down here a little I will post a message indicating that they% can be had be anonymous ftp from iastate.edu (129.186.254.151) -- at the *very* worst it will be the end of Feb. when "export release 1" of our project is to be made available. For those contemplating striking out on their own early, I used two new "X" commands (wouldn't compatibility be nice?): XKAD xxxxxx CRLF (the rcmd authenticator hexified) XKPW yyyyyy CRLF (password as mk_priv hexified) Q: Is there a way to get a tgt without passing the password? I am guessing there isn't. I assume that this will be possible under V5 of the protocol? I am also working on passing similar data in a telnet option, I have been using telnet option 40 (if this goes any further an official option number should be requested/assigned). Something like: telnet sends telnetd sends IAC WILL AUTH IAC DO AUTH IAC SB AUTH xxxxxx SPACE yyyyyy IAC SE John % I am still trying to determine if the Ultrix source is any different from the vanilla BSD source -- so you may get the whole thing or you may get diffs. -- John Hascall An ill-chosen word is the fool's messenger. Project Vincent Iowa State University Computation Center john@iastate.edu Ames, IA 50011 (515) 294-9551
tytso@ATHENA.MIT.EDU (Theodore Ts'o) (01/30/91)
Date: 29 Jan 91 19:00:53 GMT
From: john@IASTATE.EDU (Hascall John Paul)
I am also working on passing similar data in a telnet option, I have
been using telnet option 40 (if this goes any further an official option
number should be requested/assigned). Something like:
telnet sends telnetd sends
IAC WILL AUTH
IAC DO AUTH
IAC SB AUTH xxxxxx SPACE yyyyyy IAC SE
There is in fact an official authentication option for telnet; the way
it works is much as you describe, it except for some extra complexity so
that the client and the server can negotiate which authentication scheme
they support (Kerberos V4, Kerberos V5, Smartcard, etc.) Since ftp is
layered on top of telnet, this can also be used to provide
authentication for FTP.
Paul Borman of Cary Research is currently working on the version of
telnet/ftp that will go into BSD 4.4; it will be supporting this
authentication option of telnet. I don't know whether or not it will be
possible for you to obtain a snapshot of the code to play with. If it
is possible (and it does not take too much Kerberos V5 development time
away from us to package it up), and there is sufficient interest, we
might be able to make it available via anonymous FTP.
- Tedjtkohl@MIT.EDU (John T Kohl) (01/30/91)
> I am also working on passing similar data in a telnet option, I have >been using telnet option 40 (if this goes any further an official option >number should be requested/assigned). Something like: There are some drafts on telnet authentication options (and this is what we're busily implementing, with help from Cray). You can get the drafts from: nic.ddn.mil anonymous ftp, directory INTERNET-DRAFTS:, files DRAFT-IETF-TELNET-AUTHENTICATION-01.TXT.1 DRAFT-IETF-TELNET-ENCRYPTION-00.TXT.1 John Kohl <jtkohl@ATHENA.MIT.EDU> or <jtkohl@MIT.EDU> Digital Equipment Corporation/Project Athena