[2284] in Kerberos-V5-bugs
Re: telnet/51: telnetd requires auth negotiation to be complete before term set
daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri Oct 4 00:04:30 1996
Date: Fri, 4 Oct 1996 00:04:11 -0400
From: Sam Hartman <hartmans@MIT.EDU>
To: schemers@stanford.edu
Cc: krb5-bugs@MIT.EDU, krb5-bugs-redist@MIT.EDU
In-Reply-To: schemers@stanford.edu's message of Thu, 3 Oct 1996 14:34:43 -0700
(PDT) <199610032134.OAA05483@slapshot.stanford.edu>
The policy decision was made because no session state should
be established before authentication. In the case of term, I cannot
think of any case where it creates a security problem, but in other
cases it does create a security problem.
However, as demonstrated by the following dump of telnet
options, the client generally does not send the terminal type until
prompted by the server. I suspect your mainframe is violating the
spec in this respect but would have to ponder the appropriate RFCs for
a while to be sure.
athena% add krb5
add krb5
athena% /mit/krb5/bin/telnet -xa
/mit/krb5/bin/telnet -xa
telnet> set options
set options
Will show option processing.
telnet> open tertius
open tertius
Trying 18.245.0.72...
Connected to tertius.MIT.EDU.
Escape character is '^]'.
SENT WILL AUTHENTICATION
SENT DO ENCRYPT
SENT WILL ENCRYPT
SENT DO SUPPRESS GO AHEAD
SENT WILL TERMINAL TYPE
SENT WILL NAWS
SENT WILL TSPEED
SENT WILL LFLOW
SENT WILL LINEMODE
SENT WILL NEW-ENVIRON
SENT DO STATUS
...
RCVD IAC SB AUTHENTICATION SEND KERBEROS_V4 CLIENT|MUTUAL KERBEROS_V4 CLIENT|ONE-WAY
[ Trying KERBEROS4 ... ]
SENT IAC SB AUTHENTICATION NAME "hartmans"
...
RCVD WILL ENCRYPT
SENT IAC SB ENCRYPT REQUEST-START
SENT IAC SB ENCRYPT SUPPORT DES_CFB64 DES_OFB64
RCVD DO ENCRYPT
...
RCVD WILL SUPPRESS GO AHEAD
RCVD DO TERMINAL TYPE
RCVD DO NAWS
RCVD DO TSPEED
RCVD DO LFLOW
RCVD DONT LINEMODE
RCVD DO NEW-ENVIRON
RCVD WILL STATUS
...
...
...
RCVD DO XDISPLOC
SENT WONT XDISPLOC
RCVD DO OLD-ENVIRON
SENT WONT OLD-ENVIRON
...
SENT IAC SB ENCRYPT REPLY DES_CFB64 CFB64_IV_OK
...
[ Kerberos V4 challenge successful ]
RCVD IAC SB ENCRYPT REPLY DES_CFB64 CFB64_IV_OK
SENT IAC SB ENCRYPT ENC_KEYID 0
RCVD IAC SB ENCRYPT ENC_KEYID 0
SENT IAC SB ENCRYPT DEC_KEYID 0
RCVD IAC SB ENCRYPT DEC_KEYID 0
SENT IAC SB ENCRYPT START
RCVD IAC SB ENCRYPT START
RCVD IAC SB TERMINAL-SPEED SEND
SENT IAC SB TERMINAL-SPEED IS 9600,9600
RCVD IAC SB NEW-ENVIRON SEND
SENT IAC SB NEW-ENVIRON IS VAR "USER" VALUE "hartmans" VAR "PRINTER" VALUE "nil"
RCVD IAC SB TERMINAL-TYPE SEND
SENT IAC SB TERMINAL-TYPE IS "UNKNOWN"
Because I don't see a security issue involved in terminal type
being sent before authentication, I can probably be convinced to
remove the check from the MIT tree. However, I am somewhat reluctant
to do so because I do believe the client is behaving improperly, and
there really is no good reason to do session parameter negotiation
before authentication and encryption.
--Sam
