Re: telnetd: Authorization failed & Connection closed

[Alan Barrett <apb%cequrux.com@localhost>]

On Sun, 14 Mar 2010, Hubert Feyrer wrote:
> On Sat, 13 Mar 2010, Christos Zoulas wrote:
> >I think you are mis-reading it; if there is not enough information
> >from SRA to log you in without a password, it will pass you to login
> >to do it.
>
> You mean it should run login(1) to ask for a login & passwort if no
> SRA information is available, right? That's at least what I understand
> from the manpage, and it's also what I think should happen.

By my reading of the man page, under "-a valid", the fallback to
login(1) applies only if the client has provided a valid username using
the AUTHENTICATION protocol option, but the client has not provided
sufficient other credentials to allow immediate access (e.g. a password
or kerberos ticket).  If the client doesn't use the AUTHENTICATION
option at all, or if the client and server don't share any supported
AUTHENTICATION types, or if the client provides an invalid username,
then "-a valid" will not fall back to using login(1), and will simply
deny access.

If you need to handle clients that provide no AUTHENTICATION option
negotiation at all, then you need "-a none" or "-a off" at the server
side.  I think this is all explained in the telnetd(8) man page, but
the wording could certainly be improved, especially in distinguishing
between information provided by the telnet AUTHENTICATION option (RFC
2941) and the more generic meaning of "authentication information".

--apb (Alan Barrett)