Telnet Encryption
Jeffrey Altman
jaltman at watsun.cc.columbia.edu
Tue Oct 22 13:05:20 EDT 2002
In article <3DB469AF.3070306 at sun.com>,
Wyllys Ingersoll <wyllys.ingersoll at sun.com> wrote:
: John Dough wrote:
: > System A: Unix machine
: >
: > Device B: No SSH support, Supports Encrypted Kerberos telnet
: > connections, Auth via Radius and SecurID.
: >
: > Requirement: Encrypt all traffic between System A and device B.
: > Authentication will be handled either by RADIUS or SecurID.
: >
: > Out of curiosity, is it possible to NOT authenticate Kerberos sessions?
: > All I need from Kerberos is the ability to encrypt all telnet sessions
: > from System A to Device B. It would be nice if this could be
: > implemented as "seamless" as possible.
:
: I dont think this is possible. One of the byproducts of the Kerberos
: authentication is a session key, which is used as the encryption
: key between the client and the server. Kerberos authentication
: provides a secure way for the 2 sides to exchange these keys,
: I'm not sure that RADIUS or SecureID authentication can
: offer that ability.
:
: -Wyllys
You cannot safely encrypt a session with the secure exchange of session
keys and that requires some form of authentication. It could be one way
authentication as is performed in SSL/TLS and SSH or it could be mutual
authentication but some authentication is required.
If you want an encrypted session that is open to man in the middle
attacks you can install a Telnet Server that support START_TLS and not
install a certificate; or you can install SSH and not exchange the
public key of the server in an out of band channel.
Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!!
The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP
http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and
kermit-support at columbia.edu OpenSSL.
More information about the Kerberos
mailing list