[258] in Release_7.7_team
Re: telnet -safe as default
daemon@ATHENA.MIT.EDU (brlewis@MIT.EDU)
Tue Jan 17 11:05:07 1995
From: brlewis@MIT.EDU
Date: Tue, 17 Jan 95 11:04:56 -0500
To: jhawk@MIT.EDU
Cc: release-team@MIT.EDU, krb-apps@MIT.EDU
In-Reply-To: "[253] in Release_7.7_team"
Shall we continue this discussion in krb-apps? I think the ratio of
interested:disinterested people is higher over there than on
release-team. The krb-apps list has a public discuss meeting, which I
just announced in release-77.
jhawk wrote:
No. I'm saying that I expect that eventually (I suppose I neglected to
submit my bug report to anyone other than Athena; I will rectify this
when I finish my development work on telnet over IAP...) the
"mainline" (i.e. K5 and CNS K4) encrypted telnets will support my
change of -ax failing when an encrypted connection is not possible.
As far as I know, other sites only know about two kinds of telnet
session:
(1) You type your password over the net in plaintext
(2) You don't have to type your password at all.
The session for which you use Kerberos authentication *and* type your
password is very much an Athena-ism. Elsewhere, users are probably
taught that if it asks you for a password, then (1), otherwise it's (2).
The rest of the world probably isn't motivated to make telnet exit if
authentication fails. The BSD telnet did include code that would make
telnet exit, not if the server didn't support authentication, but if
authentication failed for other reasons. This code was #ifdef'ed with
someone's username, and undocumented. Apparently it wasn't very
important to Borman.
When Athena gets completely switched over to krb5, we'll be in the same
situation as the rest of the world - you won't need to type your
password for an authenticated connection.
