preventing non-Kerberos logins in telnetd

John Hascall john at iastate.edu
Thu Jan 9 17:47:34 EST 2003


> 	Is there a way to configure my system (Debian GNU/Linux) /
> krb5_telnetd so that it doesnt permit non-Kerberos logins?

This isn't the answer to the question you asked, but here's
what I did on my system to disallow non-encrypted connections
(which might be what you really want):

I added '-e required' as an option to telnetd.
Sorry, I've got a buncg of other changes in mine,
so I can't give a really diff, but the changes are
pretty minor (add 5 lines, change 2) all in telnetd.c:

    :
    :

int maxhostlen = 0;
int always_ip = 0;
int stripdomain = 1;
int encryption_required = 0;               /* ADD THIS LINE */

    :
    :

                case 'e':
                        if (strcmp(optarg, "debug") == 0) {
                                extern int encrypt_debug_mode;
                                encrypt_debug_mode = 1;
                                break;
                        }
                        if (strcmp(optarg, "required") == 0) {  /* ADD THIS */
                                encryption_required = 1;        /* ADD THIS */
                                break;                          /* ADD THIS */
                        }                                       /* ADD THIS */

    :
    :

#ifdef  AUTHENTICATION
        fprintf(stderr, " [-e (debug|required)]");		/* EDIT THIS */
#endif

    :
    :

    /*
     * Wait for the negotiation of what type of encryption we can
     * send with.  If autoencrypt is not set, this will just return.
     */
    if (his_state_is_will(TELOPT_ENCRYPT)) {
        encrypt_wait();
    }
    if (encryption_required || auth_must_encrypt()) {           /* EDIT THIS */





More information about the Kerberos mailing list