[1687] in Kerberos
Understanding "-a auth_level" in Kerberized 4.4 telnetd
daemon@ATHENA.MIT.EDU (Alan Crosswell)
Fri Dec 27 19:21:09 1991
Date: 27 Dec 91 23:37:37 GMT
From: alan@curta.cc.columbia.edu (Alan Crosswell)
To: kerberos@shelby.Stanford.EDU
I'm trying to understand the meaning of the "-a" switch to the telnetd
that comes with v5. The choices are: none, other, user, valid, and off.
Could someone point me to documentation of the intent of this stuff? I
seem to be missing it -- the telnetd.8 man page isn't updated and I can't
find a README or anything that explains it exactly. The RFC draft talks
about what the protocol needs to pass authentication back and forth and
not what these options mean from the Unix perspective.
I'm trying to do something a little bit odd, namely provide a "text
service" (access to a licensed database) for users who have authenticated
themselves on some host. The "text service" is just a copy of telnetd
running on an oddball port on some other host:
medline stream tcp nowait /usr/local/etc/ktelnetd telnetd -a user -L
/usr/local/etc/medfront
And I've modified telnetd to exec the program named after the -L switch in
place of /bin/login. Basically, if they telnet to port 'medline' on this
host, then medfront will run (all this telnetting to odd ports is hidden
inside a menu, so they just hit a "3" or something...). The idea is that
now that they've authenticated (with kerberos v4 currently) and if they
are authorized to use the system according to rules I have in my
/bin/login-replacement, then I want to let them in. There are something
like 20,000 potential users, none of whom have actual login accounts on
the system running telnetd. So, I figured '-a other' would do the trick
and pass the authenticated principal's name along to my program just like
it does to /bin/login (with -f username). Unfortunately, it looks like
the telnetd code does a "kuserok," thereby preventing this access since
there is no such userid in the password file. I would have though that it
would be /bin/login's problem to verify the existence of the user and
telnetd's problem just to pass /bin/login an authenticated principal
name.... Am I missing something? Would I really screw things up if I
removed the call to kuserok()? Mostly I need a little help deciphering
these auth_levels. Thanks!
/a
