Recipe 4.15 Using Kerberos with Telnet

Previous page
Table of content
Next page

4.15.1 Problem

You want to use Telnet securely, and you have an MIT Kerberos-5 environment.

4.15.2 Solution

Use the Kerberos-aware ("Kerberized") version of telnet. Assuming you have set up a Kerberos realm [Recipe 4.11] and hosts [Recipe 4.13], enable the Kerberized Telnet daemon on your desired destination machine:

/etc/xinetd.d/krb5-telnet: service telnet {         ...         disable = no }

and disable the standard Telnet daemon:

/etc/xinetd.d/telnet: service telnet {         ...         disable = yes }

Then restart xinetd on that machine [Recipe 3.3] (suppose its hostname is moof):

moof# kill -HUP `pidof xinetd`

and check /var/log/messages for any error messages. Then, on a client machine (say, dogcow) in the same realm, DOGOOD.ORG:

dogcow$ kinit -f Password for pat@DOGOOD.ORG: dogcow$ /usr/kerberos/bin/telnet -fax moof Trying 10.1.1.6... Connected to moof.dogood.org (10.1.1.6). Escape character is '^]'. Waiting for encryption to be negotiated... [ Kerberos V5 accepts you as ``pat@DOGOOD.ORG'' ] [ Kerberos V5 accepted forwarded credentials ] Last login: Fri Mar  7 03:28:14 from localhost.localdomain You have mail. moof$

You now have an encrypted Telnet connection, strongly and automatically authenticated via Kerberos.

4.15.3 Discussion

Often, people think of Telnet as synonymous with "insecure," but this is not so. The Telnet protocol allows for strong authentication and encryption, though it is seldom implemented. With the proper infrastructure, Telnet can be quite secure, as shown here.

The -f flag to kinit requests forwardable credentials, and the same flag to telnet then requests that they be forwarded. Thus, your Kerberos credentials follow you from one host to the next, removing the need to run kinit again on the second host in order to use Kerberos there. This provides a more complete single-sign-on effect.

As shown, the Kerberized Telnet server still allows plaintext passwords if Kerberos authentication fails, or if the client doesn't offer it. To make telnetd require strong authentication, modify its xinetd configuration file:

/etc/xinetd.d/krb5-telnet: service telnet {         ...         service_args = -a valid }

and restart xinetd again. Now when you try to telnet insecurely, it fails:

dogcow$ telnet moof telnetd: No authentication provided. Connection closed by foreign host.

If Kerberized authentication doesn't work, try the following to get more information:

dogcow$ telnet -fax telnet> set authd auth debugging enabled telnet> set encd Encryption debugging enabled telnet> open moof Trying 10.1.1.6...

which prints details about the Telnet authentication and encryption negotiation.

4.15.4 See Also

telnet(1), telnetd(8).

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Managing Enterprise Systems with the Windows Script Host
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy