Subject: Re: Latest CERT advisory on telnet vs. Kerberos
To: Greg Earle <earle@isolar.Tujunga.CA.US>
From: John Hawkinson <jhawk@panix.com>
List: current-users
Date: 02/21/1995 03:03:10
> I just got a new CERT advisory concerning security of encrypted
> telnet (i.e., some version of telnet that uses Kerberos V4 I
> guess?).  Included was a unidiff patch that patched
> /usr/src/lib/libtelnet/auth.c and .../libtelnet/kerberos.c.  I
> dunnae see a "kerberos.c" in the NetBSD libtelnet sources.

Correct. NetBSD has removed most kerberos support from 4.4lite to
comply with export restrictions.

Thorsten Lockert, <tholo@SigmaSoft.COM>, has reintegrated a bunch
as of 6 Mar of last year, in PR 157, as of 0.9-current of that date.
It doesn't seem to include Kerberized telnet....

> Comments?  Is that an MIT-only local thingy?

No, it affects the Cray, and 44lite telnets as well. Additionally,
the next release of Cygnus Network Security (which is the easiest way
to get Kerberos udner NetBSD) will include a kerberized telnet client.
It will, of course, have this fix in it.

--
John Hawkinson
jhawk@panix.com					also...jhawk@mit.edu