[5659] in Kerberos
Re: Krb 5.5 Encrypted Login Sessions
daemon@ATHENA.MIT.EDU (Joe Ramus)
Thu Aug 10 19:31:50 1995
Date: Thu, 10 Aug 95 15:55:02 PDT
From: ramus@nersc.gov (Joe Ramus)
To: tytso@MIT.EDU, kerberos@MIT.EDU
Thanks Ted for the explanation about telnet encryption.
You did not mention krlogin & krlogind which currently has an
encryption option that actually works. There is a different
entry in /etc/services for the encrypted version. And also a
different entry in /etc/inetd.conf. Here are the lines from
/etc/services.
klogin 543/tcp # Kerberos 5 authenticated rlogin
eklogin 2105/tcp # Kerberos 5 encrypted rlogin
There is no "request to turn on encryption" as part of the
options negotiation. Therefore, the man in the middle must work
a lot harder to either prevent encryption or to unscramble the packets.
The same method could be used for telnet.
>> Date: Thu, 10 Aug 1995 17:58:16 -0400
>> From: Theodore Ts'o <tytso@MIT.EDU>
>> OK, let me explain what's going on. The current telnet encryption
>> option is seriously flawed in that it's succeptible to an on-line
>> attack. (Although to be fair, most of the diffie-helman "quick-fix"
>> encrypting telnet solutions which are floating around too. Of course,
>> Kerberos is supposed to be a lot better than the "quick-fix" solutions,
>> too. :-)
>>
>> The problem is that the request to turn on encryption is not actually
>> protected. What this means is that if you can hijack a TCP connection
>> (read: if you have a copy of the toolkit which Mitnick stole from LLNL)
>> it is possible to stop the request to turn on encryption from reaching
>> the server, and then send a message down the telnet stream to the client
>> saying "[Encryption Enabled]" and the user will be totally faked out.
>> The user might think that encryption has been enabled, but in fact it
>> has not been. This is bad.
----------------------------------------------------------------
| Joe Ramus NERSC Livermore (510) 423-8917 ramus@nersc.gov |
----------------------------------------------------------------
