Hello Martin

On 20.04.05, you wrote:

>> We have, however, not removed support for insecure telnet, and all you 
>> have to do to get it is remove the "-a valid" option. Given how
>> vulnerable insecure telnet is, I think an admin must perform some
>> action to get it.
>
> Well, he has to uncomment that inetd.conf line in the first place ;-)

I also wanted to say that. It would be discussable if -a should stay there
for added security. But if it stays it has to be documented properly what
that "Authorization failure" means and how it can be disabled. Obviously
there were already at least two people who stumbled across this problem.

I still have to access the telnetd with clients that do not support the
authentication that -a vaild requests (2.0 and non-NetBSD clients). However
this only happens inside my LAN with me as the only user.

> Can someone explain what "-a valid" does? I do not understand what
> telnetd(8) is trying to say.

I'd also like to hear some more words about this, although the explanation
of the Kerberos case was already quite good for a start.

Bye, Chris