[1592] in Kerberos_V5_Development
Re: telnetd
daemon@ATHENA.MIT.EDU (Sam Hartman)
Thu Aug 15 21:51:55 1996
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krbcore@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 15 Aug 1996 21:51:00 -0400
In-Reply-To: "Barry Jaspan"'s message of Thu, 15 Aug 1996 18:50:40 -0400
>>>>> "Barry" == "Barry Jaspan" <bjaspan@MIT.EDU> writes:
Barry> The difference between -a user and -a valid is that
Barry> -a user requires you eventually log in as the user you
Barry> specify in the authentication. With the -a valid option,
Barry> you can log in as something else.
Barry> I hadn't considered the possibility as logging in as
Barry> someone else when I first tried to figure out what all the
Barry> -a options meant.
Barry> The behavior you describe is not what I am seeing. -a user
Barry> and -a valid seem to me to be identical: you must be in
Barry> ~/.k5login. -a none seems to be what you are suggesting -a
Barry> valid to be: if I run telnet -l marc beeblebrox, it says
Bruce reminded me with a minor problem with my ideal picture
of the world: telnetd doesn't actually separate authorization from
authentication. So, authentication isn't valid unless you actually
get authorized. I.E. because of broken implementation -a user == -a
valid. Actually, looking back ayt the man page, I'm either
describing -a other or -a valid, and it's vague enough that I don't
know which. Since -a other is unsupported, and I'm farily certain
after remembering the conversationg with Bruce that -a valid isn't
useful, it doesn't matter much.
The difference between -a valid and -a none is that
connections are accepted even if they don't supply authentication at
all.o
I run a system with -a user and regularly log in as
non-default users.
Yes, this does need to be fixed.
--Sam
