[269] in Release_7.7_team
ktelnetd problems
daemon@ATHENA.MIT.EDU (Matt Braun)
Thu Feb 2 16:11:14 1995
To: release-team@MIT.EDU
Cc: jis@MIT.EDU, rel-eng@MIT.EDU, hartmans@MIT.EDU
Date: Thu, 02 Feb 1995 16:11:05 EST
From: Matt Braun <mhbraun@MIT.EDU>
OK...we discovered a problem with changing the default behavior of telnet to
be secure. There are people out there that are running a kerberized telnet
daemon and don't want to be doing a ktelnet to it.
Here is the scenario. Workstation andminstrator configures her machine for
remote access. Sincethe default telnetd is ktelnet it would accept kerberized
conecctions, but because as we know no one uses telnet -safe it is never used
in kerberos mode. This morning the clients update and when someone from a
public workstation runs telnet they get telnet -ax and end up logging in
securely. Here is the problem with that, they are not getting tickets &
tokens on the remote machine because they are not getting kiniting on the
remote machine, they are just getting logged in without authentication (which
is a useless state in our environmnet).
One 'solution' is to invoke telnetd in inetd.conf with the -a off aruments so
it runs /bin/login and akss for a password (after telling you the connection
is encrypted). Someone might wnat to look into the other command line options
to inetd.
Another solution is to advertise a script to run if you get logged in without
authentication. (suboptimal)
and a final 'solution' is to back out the new telnet default.
We need to do somethign about this RSN.
Matt
