[12465] in Athena Bugs
Re: ktelnet isn't safe
daemon@ATHENA.MIT.EDU (brlewis@MIT.EDU)
Wed Aug 24 14:00:55 1994
From: brlewis@MIT.EDU
Date: Wed, 24 Aug 94 14:00:42 -0400
To: Stephen Gildea <gildea@x.org>
Cc: bugs@MIT.EDU, athena-ws@MIT.EDU
Reply-To: athena-ws@MIT.EDU
In-Reply-To: "[12452] in Athena Bugs"
I assumed that if it found no tickets, ktelnet would use your password
to obtain them. Instead, it seems to be falling back to ordinary
telnet behavior. Since this is a security issue, it should be clearly
documented that if ktelnet prompts you for a password, it is going to
do something stupid with it.
The programs that prompt you for your password are login, xlogin, kinit
and rkinit. The telnet program never prompts you for a password. It
connects you to remote hosts where login prompts for a password.
I have submitted a patch that causes ktelnet to exit with an error
message if it tries and fails to do Kerberos authentication. This
partially solves the problem you describe.
We can only partially solve the problem for two reasons:
1. We don't control all clients.
2. We want to keep traditional telnet access the same
I can fix the Athena telnet client (which is actually the BSD 4.4 client
with minor changes) to do what you want, but what about NCSA telnet for
Macintosh? Or whatever comes out for Windows/DOS? We can't change
every client's fallback behavior, so users still need to be educated,
that unless they see "What you type is protected by encryption" (printed
by the Athena dialup server, not the client), they make their password
vulnerable.
After doing kinit, I get a similar dialog, but the mk_req failure
message is "Principal unknown (kerberos)".
You need /etc/athena/krb.realms, which you can pull from any Athena
workstation. That will make telnet try to get tickets for
rcmd.whatever@ATHENA.MIT.EDU instead of rcmd.whatever@MIT.EDU. Or you
can use "telnet -safe -k ATHENA.MIT.EDU".
Note that even if -safe was safe, ktelnet still is broken, because
-safe should be the default. I shouldn't have to know to ask for it
to do the right thing.
It would be a major user-interface change for telnet to try to
authenticate/encrypt by default. Many users won't want that. Athena is
making a concerted effort not to constantly change the environment and
force users to do what we think is better.
--
, Bruce R. Lewis ___
(| Analyst Programmer =====
|) Distributed Computing and Network Services |||||||
MIT' Information Systems -=======-
