Subject: Re: telnet
To: None <firstname.lastname@example.org>
From: Christos Zoulas <email@example.com>
Date: 10/25/2005 22:14:51
In article <oqk6g2cvnn.fsf@castrovalva.Ivy.NET>,
Miles Nordin <carton@Ivy.NET> wrote:
>anyone use telnet recently?
>I used to start telnetd in inetd.conf with the '-s' flag, and it would
>insist that people use S/Keys. so I wanted to try it, and typed
>'skeyinit' and set up an S/Key for myself. Now, I find
> 1. If I telnet from localhost, I get an [ SRA login ] prompt. I have
> no idea what this is or how secure it is, and searching the telnet
> and telnetd man pages for 'SRA' and 'sra' turns up nothing, but it
> seems to want plaintext passwords. If I give it one, I get in.
google for "telnet SRA"
> If I don't want to use SRA login, there is no way to quit
> 'telnet'. ^] doesn't work, ^C doesn't work, ^D doesn't work,
> empty usernames don't work.
I just fixed that. (^D works)
> In any case, I don't get an opportunity to use my S/Key.
That works, although it looks like it does not. Adding the line:
auth sufficient pam_skey.so no_warn
in /etc/pam.d/telnetd does the trick. Unfortunately this is suboptimal
since you don't see a proper S/KEY prompt. What is even worse is that
the SRA protocol does not have a provision to send a password prompt
back. I just added an extension to pass the password propmt back with
the SRA_CONTINUE message that has an unused payload, but only new
NetBSD telnet servers and clients know how to deal with that.
> 2. If I telnet from Solaris, I get a regular login prompt (after
> removing '-a valid' from the default NetBSD inetd.conf). I type
> my login: and it says:
> no S/Key challenge at all.
Or you can use the NetBSD telnet client and -K.
> 3. If I change to another user and do 'su - carton', same thing.
> Password:, no S/Key challenge.
> 4. If I ssh, from localhost or from Solaris, I get 'Password:', no
> S/Key challenge.
Again, add skey to /etc/pam.d/sshd or if you want it for everything,
add it to /etc/skey/system.
> 5. 'sudo', from pkgsrc, now gives me S/Key challenges. It's the only
> thing that does so far. However, I can't get it to accept the
> babble digest that the 'skey' tool says is right.
Yes, because it is not using PAM..
>I remember using it on NetBSD 1.6, and it was great. ssh asks three
>times for S/Key, then takes plain passwords. telnet takes S/Keys only
>if given '-s' flag. 'su' did not use S/Keys but meh.
Now everything can use the same authentication mechanisms, even new
ones that are not compiled in (LDAP etc.) This is the advantage of
>I mean, I know S/Keys are not popular, but...so, full disclosure, I've
>been pretty anti-PAM from the beginning. But in a basic sense, what
>is the point of this whole PAMification if you don't regression-test
>S/Key after importing PAM? S/Key is really the only out-of-the-box
>authenticator where PAM will buy you anything, because any other
>GSSAPI/Kerberos stuff needs changes to each individual protocol, so it
>is the example everyone uses to defend PAM, and AFAICT it's
>broken. wtf? Do I have to link in pam_pleasejustwork.so or something?
>What is ``SRA login'' and why isn't it documented and why can't I get
>out of it's prompting? Anyone else having better luck?
That is my fault for not testing telnetd and S/KEY. But it is now fixed.