-----BEGIN PGP SIGNED MESSAGE-----

   Modified Files:
	   commands.c 
   Log Message:
   Fix telnet so that KerberosIV encryption works with CNAMEs:
	   for ip # based telnets:
		   get the host name via gethostbyaddr() and use the
			   name returned.  If the call fails, keep
			   the numeric version and let kerberos fail.
	   for telnets to CNAMEs:
		   After the gethostbyname() has returned the correct
			   ip #, use it as above to get the true
			   name of the machine.

This is a *bad* idea.

This introduces a vulnerability to name-server based spoofing.

Since the DNS is not secure, I can pollute your cache with a CNAME
pointing at a different kerberos telnet server (either in the same
realm or in a different realm which your realm has exchanged
interrealm keys with), and make you request a secure connection to a
server other than the one you expected to.

This would be especially bad if kerberos4 telnet supported ticket
forwarding (like krb5 telnet does..)

I would strongly suggest that you print the server principal name you
actually end up using if the client pulls this stunt..

					- Bill

-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBMVK3LLT+rHlVUGpxAQFaWQP/VCHMLhekkD20YVega4sofzh8ZG5El0sh
fcrX+E9NMY4n5OmrQLLFom1ZZYE4Ydln4fzfQm1/cNh3JYOSXymxKjJIsHhNLV4B
g5uSsvxlpUc9IaQA2hYL+6t4H1kMslqj+8WpQ26BROlms1O1kmjWFFcty+Ua6gN6
6abJ64/n3P4=
=dk2r
-----END PGP SIGNATURE-----