Subject: Re: Centralized User and Password Management
To: None <netbsd-users@NetBSD.ORG, firstname.lastname@example.org>
From: Johan A.van Zanten <email@example.com>
Date: 12/08/2004 14:27:41
"Greg A. Woods" <firstname.lastname@example.org> wrote:
> That's a common problem where a "kerberised" system falls down badly....
> It should be possible to implement a policy that makes it impossible for
> the user to telnet without using encryption.
I think i may be lacking some of the context of this discussion, but does
the "-a user" args to telnetd satisfy your goal:
user Only allow connections when the remote user can
pro- vide valid authentication information to identify
the remote user, and is allowed access to the
specified account without providing a password.
> I really Really REALLY detest having to work on special-cased code that
> hacks security features into otherwise basic client applications like
> "telnet", "cvs", etc., etc., etc., etc., etc. It never ends. Grrr.
> Just say "NO!" to "kerberised" client applications. At least SSH does
> it better by making it possible to simply use it as a secure RJE and
> bulk data transport, and it does it in a way that's very nicely
> compatible with all the things we did in unix-land before we realized
> that network security was going to be such an important issue.
Yeah, it's frustrating. It's really too bad that the U.S. government's
restrictions on the distribution of technology prevented Kerberos 5 and
the GSSAPI from becoming more widely accepted. I doubt that would have
spared you from dealing with some specialized code, but i still feel we'd
be a lot better off if the NSA (et al) had relented (earlier) in their
futile attempts to keep decent crypto from being used by anyone but the