To: None <email@example.com>
From: Miles Nordin <carton@Ivy.NET>
Date: 10/24/2005 20:01:00
Content-Type: text/plain; charset=US-ASCII
anyone use telnet recently?
I used to start telnetd in inetd.conf with the '-s' flag, and it would
insist that people use S/Keys. so I wanted to try it, and typed
'skeyinit' and set up an S/Key for myself. Now, I find
1. If I telnet from localhost, I get an [ SRA login ] prompt. I have
no idea what this is or how secure it is, and searching the telnet
and telnetd man pages for 'SRA' and 'sra' turns up nothing, but it
seems to want plaintext passwords. If I give it one, I get in.
If I don't want to use SRA login, there is no way to quit
'telnet'. ^] doesn't work, ^C doesn't work, ^D doesn't work,
empty usernames don't work.
In any case, I don't get an opportunity to use my S/Key.
2. If I telnet from Solaris, I get a regular login prompt (after
removing '-a valid' from the default NetBSD inetd.conf). I type
my login: and it says:
no S/Key challenge at all.
3. If I change to another user and do 'su - carton', same thing.
Password:, no S/Key challenge.
4. If I ssh, from localhost or from Solaris, I get 'Password:', no
5. 'sudo', from pkgsrc, now gives me S/Key challenges. It's the only
thing that does so far. However, I can't get it to accept the
babble digest that the 'skey' tool says is right.
I remember using it on NetBSD 1.6, and it was great. ssh asks three
times for S/Key, then takes plain passwords. telnet takes S/Keys only
if given '-s' flag. 'su' did not use S/Keys but meh.
I mean, I know S/Keys are not popular, but...so, full disclosure, I've
been pretty anti-PAM from the beginning. But in a basic sense, what
is the point of this whole PAMification if you don't regression-test
S/Key after importing PAM? S/Key is really the only out-of-the-box
authenticator where PAM will buy you anything, because any other
GSSAPI/Kerberos stuff needs changes to each individual protocol, so it
is the example everyone uses to defend PAM, and AFAICT it's
broken. wtf? Do I have to link in pam_pleasejustwork.so or something?
What is ``SRA login'' and why isn't it documented and why can't I get
out of it's prompting? Anyone else having better luck?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
-----END PGP SIGNATURE-----