[12701] in Athena Bugs
telnet -safe or -x behaves DANGEROUSLY
daemon@ATHENA.MIT.EDU (jhawk@MIT.EDU)
Wed Oct 5 03:10:50 1994
From: jhawk@MIT.EDU
To: bugs@MIT.EDU
Cc: jhawk@MIT.EDU, yandros@MIT.EDU, hobbit@asylum.sf.ca.us
Date: Wed, 05 Oct 1994 03:10:36 EDT
Hi.
telnet -ax (aka telnet -safe), when confronted with a telnetd
that does not understand Kerberos encryption and authentication,
procedes to very merilly hand you an open connection without
explicitly stating that auth/enc failed.
For example:
---cut
athena% telnet -ax oliver
Trying 18.70.0.212...
Connected to oliver.MIT.EDU.
Escape character is '^]'.
AIX telnet (oliver)
IBM AIX Version 3 for RISC System/6000
(C) Copyrights by IBM and by others 1982, 1991.
login:
---cut
telnet is perfectly happy to tell you when it succeeds:
---cut
athena% telnet -ax yaz
Trying 18.70.0.225...
Connected to YAZ-PISTACHIO.MIT.EDU.
Escape character is '^]'.
[ Trying KERBEROS4 ... ]
[ Kerberos V4 accepts you ]
[ Kerberos V4 challenge successful ]
---cut
Alternatively, if you give it the right debugging options, telnet
will tell you when it fails:
---cut
telnet -ax
telnet> toggle options
Will show option processing.
telnet> open oliver
Trying 18.70.0.212...
Connected to oliver.MIT.EDU.
Escape character is '^]'.
SENT WILL AUTHENTICATION
SENT DO ENCRYPT
SENT WILL ENCRYPT
[...]
RCVD DONT AUTHENTICATION
RCVD WONT ENCRYPT
RCVD DONT ENCRYPT
[...]
SENT WONT ECHO
AIX telnet (oliver)
RCVD DONT ECHO
IBM AIX Version 3 for RISC System/6000
(C) Copyrights by IBM and by others 1982, 1991.
login:
---cut
This is a Bad Thing (tm).
When a user says telnet -ax, or telnet -safe, that user expects
to get a safe, reliable, data channel. By allowing telnet to
blindly procede in such a condition, you allow a user to unwittingly
compromise themself and their machine by handing out passwords to the 'net.
There are two reasonable solutions:
1) Be very loud about failures to negitiate encryption:
[ Cannot try KERBEROS4, remote host does not support ]
[ ENCRYPTION (-x, -safe) FAILED, THIS SESSION IS NOT SECURE ]
2) Be loud, and kill the connection and terminate telnet.
I support the latter. If a user really wants to open a nonencrypted
telnet connection, they should be forced to type telnet without -safe.
The default should be the secure, paranoid, method.
Thanks.
--jhawk
