[1576] in Kerberos_V5_Development
Re: ftpd should allow protection to be required
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Aug 14 19:56:44 1996
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krbdev@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 14 Aug 1996 19:56:22 -0400
In-Reply-To: "Barry Jaspan"'s message of Wed, 14 Aug 96 10:51:01 -0400
>>>>> "Barry" == "Barry Jaspan" <bjaspan@MIT.EDU> writes:
Barry> Telnet cannot currently be forced into requiring
Barry> encryption.
Barry> The dialups do this (presumably with a hacked telneted),
Barry> and I think it is a good idea to at least provide the
Barry> option. As you know, I also think it should be the default
Barry> (by that is a client issue).
No, the dialups only require encryption if authentication is
used; clear text is also allowd. It's a local Athena hack.
I agree the option should be provided to require encryption; I'm not
convinced we want to support the behavior of the Athena hack as its
primary utility is to make sure users get tickets on the dialup, and
ticket forwarding is a better way to do that.
Barry> Question: is there an interface to turn on
Barry> encryption on the command channel, or to turn off integrity
Barry> in the client we ship?
Barry> I couldnt't find one in the ftpd man page for code. I know
Barry> OV's ftp/d supports that, but perhaps it was a non-required
Barry> (by the I-D) feature.
Am I correct in my understanding that the command connection
starts with integrity turned on?
Barry> I'm not convinced you need an option to require
Barry> encryption/integrity on the data channel, as the user can
Barry> always find a way to spew their data over the net if they
Barry> try.
Barry> That's not the point. The point is to make it easy for
Barry> admins to make it as likely as possible that users will not
Barry> be clueless. Right now, you can run gss-ftp and if you
Barry> forget just once to run the "private" command your data
Barry> goes in the clear. Not good. If ftpd required encryption
Barry> (and, say, refused get/put commands if it were not
Barry> enabled), then at least it would be impossible to forget.
Yes, I was not thinking clearly.
Barry> Better (perhaps) would be to have ftpd automatically put
Barry> ftp into a safe mode; I guess ftp would have to be
Barry> implemented to warn about that, and probably never accept
Barry> an automatic transfer to a lower security level, and maybe
Barry> it is still a dangerous idea.
Why would it be wrong for ftp to accept an automated transfer
to lower security if the command connection had integrity?
Barry> Barry
