[1580] in Kerberos_V5_Development
Re: ftpd should allow protection to be required
daemon@ATHENA.MIT.EDU (Bruce R. Lewis)
Thu Aug 15 10:11:35 1996
To: Sam Hartman <hartmans@MIT.EDU>
Cc: krbdev@MIT.EDU
From: brlewis@MIT.EDU (Bruce R. Lewis)
Date: 15 Aug 1996 10:11:16 -0400
In-Reply-To: Sam Hartman's message of 14 Aug 1996 19:56:22 -0400
If you want to put an option into telnetd to require that encryption
start before login, you will want to look at the Athena code even if the
behavior you want is slightly different. The trouble is this: If a
telnet client supports encryption and is going to encrypt, it sends
X,Y,Z, ENCRYPT REQUEST-START and ENCRYPT START. If a telnet client
supports encryption but isn't going to encrypt, it sends the same X,Y,Z
and then nothing. You have to do a timeout. I think this is brokenness
on the part of the protocol.
My other beef with the protocol is that you can't use kerberos
encryption unless your principal is authorized to login, so you can't
just encrypt with kerberos and type a password to login as somebody
else. This is because the AUTHENTICATION option really means
AUTHENTICATION-AND-AUTHORIZATION, at least in this implementation. I
haven't looked at the protocol closeley enough to know if you could
separate authentication and authorization.
Of course, doing what you want to do with ftpd will be easier.
Bruce
