[1835] in Kerberos
some v4 mods to v5 new-telnet
daemon@ATHENA.MIT.EDU (Alan Crosswell)
Thu Mar 26 02:48:19 1992
Date: 26 Mar 92 04:00:02 GMT
From: alan@cunixf.cc.columbia.edu (Alan Crosswell)
To: kerberos@shelby.Stanford.EDU
As mentioned earlier today, I've made some v4 modifications to the
Kerberized 4.4BSD telnet that comes with the Kerberos v5 distribution.
A couple of people responded saying they'd like to see the mods, so
you are welcome to anonymous ftp to cunixf.cc.columbia.edu and look
in kerberos/. Here's the readme:
krb-new-telnet.diffs contains context diffs for the Kerberos v5
distributed src/appl/new-telnet/ which is a Kerberized version of
4.4BSD telnet and telnetd. Our changes have only been tested
minimally with Kerberos *V4* but seem to work. The changes are:
- ./Makefile: fix omission of Config.local
- change the telnetd "-a auth_level" semantics so that "-a known" means the
certificate must be for a valid unix user (via kuserok) and
"-a user" must be for a valid kerberos user but does not need
to be a valid unix user. (see libtelnet/auth.h)
- add "-p server_principal" switch to name the principal name to
use for the service rather than the default of "rcmd." This is
for telnetd and telnet.
- add "-L login_program" switch to name the /bin/login replacement
to exec. telnetd.
- add "-i instance" to name instance in addition to null that the telnetd
will accept.
- correct spelling of "challenge."
How we use this:
In inetd.conf on host foo we have a line like this:
sample stream tcp nowait root /usr/local/etc/sample-sh telnetd
(and sample is defined as some port number in /etc/services).
/usr/local/etc/sample-sh exists simply because we learned the hard way
that many inetds only handle 5 args and silently ignore any additional ones:
#!/bin/sh
# Because Inetd has a maximum of 5 cmd line arguments!!
exec /usr/local/etc/ktelnetd -a user -L /usr/local/etc/sample -p demo -i simple
/usr/local/etc/sample is a program that replaces /bin/login since we
aren't logging the person in to do unix but are just running some canned
program for them.
On the client host, we get a TGT for a principal with an instance of "simple"
(e.g myname.simple) and then do a
telnet -l myname.simple -p demo foo sample
which says login as "username.simple" getting a "demo.foo" service
ticket, connecting to host foo on port sample. Oh yeah, don't forget
to create the demo.foo entry and do an ext_srvtab!
This is used for various tty-based "text services." You just telnet
to some host and some oddball port number and one of these suckers
fires up. You gotta do something while waiting for DCE:-)
Alan Crosswell
Columbia University Academic Information Systems
alan@columbia.edu
