Subject: Re: Centralized User and Password Management
To: None <netbsd-users@NetBSD.ORG, woods@weird.com>
From: Johan A.van Zanten <johan@giantfoo.org>
List: netbsd-users
Date: 12/08/2004 14:27:41
"Greg A. Woods" <woods@weird.com> wrote:
> That's a common problem where a "kerberised" system falls down badly....
> 
> It should be possible to implement a policy that makes it impossible for
> the user to telnet without using encryption.


I think i may be lacking some of the context of this discussion, but does
the "-a user" args to telnetd satisfy your goal:

               user Only allow connections when the remote user can
                    pro- vide valid authentication information to identify
                    the remote user, and is allowed access to the
                    specified account without providing a password.

?

> I really Really REALLY detest having to work on special-cased code that
> hacks security features into otherwise basic client applications like
> "telnet", "cvs", etc., etc., etc., etc., etc.  It never ends.  Grrr.
> Just say "NO!" to "kerberised" client applications.  At least SSH does
> it better by making it possible to simply use it as a secure RJE and
> bulk data transport, and it does it in a way that's very nicely
> compatible with all the things we did in unix-land before we realized
> that network security was going to be such an important issue.

 Yeah, it's frustrating. It's really too bad that the U.S. government's
restrictions on the distribution of technology prevented Kerberos 5 and
the GSSAPI from becoming more widely accepted.  I doubt that would have
spared you from dealing with some specialized code, but i still feel we'd
be a lot better off if the NSA (et al) had relented (earlier) in their
futile attempts to keep decent crypto from being used by anyone but the
U.S.

 -johan