[2059] in Kerberos
Re: Telnetd options
daemon@ATHENA.MIT.EDU (Alan Crosswell)
Thu Jul 23 19:09:03 1992
Date: 23 Jul 92 21:34:51 GMT
From: alan@curta.cc.columbia.edu (Alan Crosswell)
To: kerberos@shelby.Stanford.EDU
In article <1992Jul21.234933.22768@agora.uucp> bobb@agora.rain.com (Bob
Beauchemin) writes:
>
> I'm trying out the Kerberized Version of telnet/telnetd (dated
91.03.25
> is this the latest version?) and have a question about the
authentication
> options of telnetd.
>
> Telnetd has five authentication startup options(plus debug):
>
> telnetd -a none
> telnetd -a other
> telnetd -a user
> telnetd -a valid
> telnetd -a off
>
> The "user", "valid", and "other" options appear to produce much the
same
> results (although the "other" seems not to be used in the code). Any
> of these options only seem to allow logon from:
> 1. Kerberized telnet with -a option and
> 2. Kinit'd user and
> 3. User in .klogin file on remote host
>
> The "none" option allows kerberized telnet login (without a password)
and
> non-kerberized telnet login (with a password).
>
> Is this how its supposed to work? What is supposed to be the real
> difference between the "user" and "valid" options? I couldn't find any
> docs for this telnetd option and am guessing by experimentation and
> reading the code.
>
> Thanks,
>
> Bob Beauchemin
> bobb@agora.rain.com
I didn't understand the implemention of those options either, so I
modified telnetd to do what I thought they should mean:
- user: they have a valid Kerberos certificate but don't need to be
a local unix user.
- valid: they have a valid Kerberos certificate and kuserok says they
are also a valid local unix user.
I also modified it to exec an optional /bin/login replacement which we
use in conjunction with "-a user" to have a kerberized "application
gateway" where a local user id on the host providing the service is not
what decides whether someone is authorized, rather the /bin/login
replacement makes the authorization decision. The gateway is actually
a telnet frontend to an SNA session to a CICS application. Yet another
use for Don Libes' expect program:-)
I can make the mods available if you are interested.
/a
