[ On Wednesday, December 8, 2004 at 14:27:41 (-0600), Johan A.van Zanten wrote: ]
> Subject: Re: Centralized User and Password Management
>
> "Greg A. Woods" <woods@weird.com> wrote:
> > That's a common problem where a "kerberised" system falls down badly....
> > 
> > It should be possible to implement a policy that makes it impossible for
> > the user to telnet without using encryption.
> 
> I think i may be lacking some of the context of this discussion, but does
> the "-a user" args to telnetd satisfy your goal:
 
Nope -- forcing the '-x' and not allowing the connection if encryption
doesn't happen might work, but the problem is that the use of this or
any "option" can't easily be forced even if it's redefined to "fail
securely".

Always using "ssh" and never using "telnet" solves the problem, but not
by using GSSAPI.  :-)


>  Yeah, it's frustrating. It's really too bad that the U.S. government's
> restrictions on the distribution of technology prevented Kerberos 5 and
> the GSSAPI from becoming more widely accepted.

Indeed, and amongst other things!  ;-)


>  I doubt that would have
> spared you from dealing with some specialized code

It would not have, and that's the problem.  Sometimes "security" cannot
be left as a option, therefore the lower down you implement it the less
it seems to get in the way of "normal" use.

Universal use of SSH and/or SSL works, and some banks and credit card
companies are leaning hard in that direction, though more are still
clueless....

IPsec could slove the problem too if it were deployed and enforced.

Sadly the poor state of client software and systems security (i.e. the
M$ Windows is everywhere problem) causes those that need strict security
to worry that IPsec might just open big gaping holes into their private
networks, or introduce bridging problems, etc.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>