In article <oqk6g2cvnn.fsf@castrovalva.Ivy.NET>,
Miles Nordin  <carton@Ivy.NET> wrote:
>-=-=-=-=-=-
>
>anyone use telnet recently?

Yes.

>I used to start telnetd in inetd.conf with the '-s' flag, and it would
>insist that people use S/Keys.  so I wanted to try it, and typed
>'skeyinit' and set up an S/Key for myself.  Now, I find
>
> 1. If I telnet from localhost, I get an [ SRA login ] prompt.  I have
>    no idea what this is or how secure it is, and searching the telnet
>    and telnetd man pages for 'SRA' and 'sra' turns up nothing, but it
>    seems to want plaintext passwords.  If I give it one, I get in.

google for "telnet SRA"

>    If I don't want to use SRA login, there is no way to quit
>    'telnet'.  ^] doesn't work, ^C doesn't work, ^D doesn't work,
>    empty usernames don't work.

I just fixed that. (^D works)

>    In any case, I don't get an opportunity to use my S/Key.

That works, although it looks like it does not. Adding the line:

    auth            sufficient      pam_skey.so             no_warn

in /etc/pam.d/telnetd does the trick. Unfortunately this is suboptimal
since you don't see a proper S/KEY prompt. What is even worse is that
the SRA protocol does not have a provision to send a password prompt
back. I just added an extension to pass the password propmt back with
the SRA_CONTINUE message that has an unused payload, but only new
NetBSD telnet servers and clients know how to deal with that.

> 2. If I telnet from Solaris, I get a regular login prompt (after
>    removing '-a valid' from the default NetBSD inetd.conf).  I type
>    my login: and it says:
>
>    Password:
>
>    no S/Key challenge at all.

Or you can use the NetBSD telnet client and -K.

> 3. If I change to another user and do 'su - carton', same thing.
>    Password:, no S/Key challenge.
>
> 4. If I ssh, from localhost or from Solaris, I get 'Password:', no
>    S/Key challenge.

Again, add skey to /etc/pam.d/sshd or if you want it for everything,
add it to /etc/skey/system.

> 5. 'sudo', from pkgsrc, now gives me S/Key challenges.  It's the only
>    thing that does so far.  However, I can't get it to accept the
>    babble digest that the 'skey' tool says is right.

Yes, because it is not using PAM..

>I remember using it on NetBSD 1.6, and it was great.  ssh asks three
>times for S/Key, then takes plain passwords.  telnet takes S/Keys only
>if given '-s' flag.  'su' did not use S/Keys but meh.

Now everything can use the same authentication mechanisms, even new
ones that are not compiled in (LDAP etc.) This is the advantage of
PAM.

>I mean, I know S/Keys are not popular, but...so, full disclosure, I've
>been pretty anti-PAM from the beginning.  But in a basic sense, what
>is the point of this whole PAMification if you don't regression-test
>S/Key after importing PAM?  S/Key is really the only out-of-the-box
>authenticator where PAM will buy you anything, because any other
>GSSAPI/Kerberos stuff needs changes to each individual protocol, so it
>is the example everyone uses to defend PAM, and AFAICT it's
>broken. wtf?  Do I have to link in pam_pleasejustwork.so or something?
>What is ``SRA login'' and why isn't it documented and why can't I get
>out of it's prompting?  Anyone else having better luck?

That is my fault for not testing telnetd and S/KEY. But it is now fixed.

christos