[3174] in Kerberos
Re: Kerberized FTP
daemon@ATHENA.MIT.EDU (Steve Lunt)
Mon Apr 25 10:58:54 1994
Date: Mon, 25 Apr 1994 10:35:49 -0400
From: Steve Lunt <lunt@ctt.bellcore.com>
To: kerberos@MIT.EDU
If you are considering incorporating AFS authentication into FTP,
I suggest you read the Internet Draft (about to become an RFC).
(b) FTP. The IETF Common Authentication Technology
Working Group is currently defining security extensions
for the FTP protocol. An Internet Draft describing
their work, and the source code for a modified ftp/ftpd
with the extensions, are now available via anonymous
FTP:
thumper.bellcore.com:pub/lunt/README
-- Steve
Steven J. Lunt lunt@bellcore.com
Information Technology Security RRC 1L-213
Bellcore 444 Hoes Lane
(908) 699-4244 Piscataway, NJ 08854
> From: schemers@leland.Stanford.EDU (Roland Schemers)
>
> In article <WALRUS.94Apr24155830@enchanter.ifs.umich.edu>,
> michael shiplett <michael.shiplett@umich.edu> wrote:
> >
> > Now that kerberos works, I guess it's time to modify ftpd to get an
> >AFS token.
> >
>
> How were you planning on doing that? I've messed around a little with
> the kerberized ftp/ftpd and added a simple "site klog" command. I modified
> the kerberized ftp client and added a "klog" command, which prompts you
> for your password. The client also warns you if you are not running
> in "private" (commands/data encrypted) mode. The client then sends
> your AFS password over the encrypted channel.
>
> More elaborate methods could send an existing token (base64 encoded) over the
> data channel, or ftpd could request and AFS kerberos ticket for you, send it
> to the client, the client could decrypt the ticket and/or turn it into a token
> and send it back to the server (all over an encrypted channel of course).
> Sending an existing token over would be nice because you wouldn't have type
> your password if you had a token. It does put more smarts in the client
> where the simple "site klog passwd" adds less. Maybe both are needed.
