[1586] in Kerberos_V5_Development
Re: ftpd should allow protection to be required
daemon@ATHENA.MIT.EDU (Sam Hartman)
Thu Aug 15 17:51:57 1996
To: brlewis@MIT.EDU (Bruce R. Lewis)
Cc: Sam Hartman <hartmans@MIT.EDU>, krbdev@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 15 Aug 1996 17:51:44 -0400
In-Reply-To: brlewis@MIT.EDU's message of 15 Aug 1996 10:11:16 -0400
>>>>> "Bruce" == Bruce R Lewis <brlewis@MIT.EDU> writes:
Bruce> If you want to put an option into telnetd to require that
Bruce> encryption start before login, you will want to look at the
Bruce> Athena code even if the behavior you want is slightly
Bruce> different. The trouble is this: If a telnet client
Bruce> supports encryption and is going to encrypt, it sends
Bruce> X,Y,Z, ENCRYPT REQUEST-START and ENCRYPT START. If a
Bruce> telnet client supports encryption but isn't going to
Bruce> encrypt, it sends the same X,Y,Z and then nothing. You
Bruce> have to do a timeout. I think this is brokenness on the
Bruce> part of the protocol.
This is no longer the case. We have added a hack into the
information sent with x that indicates whether the client will
eventually start encryption. There is a better solution in the
authencrypt draft that we should eventually look at. There is a
timeout that we have already implemented to make sure that
authentication is completed before login in started; by the end of
this timeout, encryption must be started if the client said it was
going to start encryption. This was done as a security fix for a
man-in-the-middle attack.
Bruce> My other beef with the protocol is that you can't use
Bruce> kerberos encryption unless your principal is authorized to
Bruce> login, so you can't just encrypt with kerberos and type a
Bruce> password to login as somebody else. This is because the
Bruce> AUTHENTICATION option really means
Bruce> AUTHENTICATION-AND-AUTHORIZATION, at least in this
Bruce> implementation. I haven't looked at the protocol closeley
Bruce> enough to know if you could separate authentication and
Bruce> authorization.
This is purely an implementation issue; the protocol only
speaks to authentication. I will look at separating out authorization
after Beta 7. There is already a command line option to do this, but
as we discussed with regard to the library project, it doesn't work
the way you think it should because the authentication code treats
kuserok as part of authentication.
Bruce> Of course, doing what you want to do with ftpd will be
Bruce> easier.
Bruce> Bruce
