telnetd and auth options

Jeffrey Altman jaltman at columbia.edu
Thu Jul 18 01:22:01 EDT 2002 

The definitions that I have in my docs for Kermit are:

  rejected - rejected or otherwise not authenticated
  unknown  - anonymous connection
  other    - we know him, but not his name
  user     - we know his name
  valid    - we know him, and he needs no password

"user" is the case were the kerberos credentials are validated but
there is no automatic login because krb5_kuserok() failed.  Therefore,
a login prompt is displayed.

> 
> According to the man page for the telnet daemon in 1.2.5
> the "-a user" and "-a valid" behavior is defined as follows:
> 
> ...
>   user        Only allow connections when the  remote  user  can
>                 provide  valid authentication information to iden-
>                 tify the remote user, and is allowed access to the
>                 specified account without providing a password.
> 
> valid       Only allow connections when the  remote  user  can
>                 provide  valid authentication information to iden-
>                 tify the remote user.  The login(1)  command  will
>                 provide any additional user verification needed if
>                 the remote user is not allowed automatic access to
>                 the specified account.
> ...
> 
> This seems to indicate the the "user" authentication option is
>   a bit stricter than the "valid" option because "user" indicates that
> the user was authenticated AND authorized to access the account
> where as the "valid" option just needs proper authentication info.
> 
> Looking at the code in libtelnet/kerberos5.c (kerberos5_status)...
> 
> kerberos5_status(ap, name, level)
> 	Authenticator *ap;
> 	char *name;
> 	int level;
> {
>   	if (level < AUTH_USER)
> 		return(level);
> 
> 	if (UserNameRequested &&
>              krb5_kuserok(telnet_context, ticket->enc_part2->client,
> 			 UserNameRequested))
> 	{
>           	/* the name buffer comes from telnetd/telnetd{-ktd}.c */
> 		strncpy(name, UserNameRequested, 255);
> 		name[255] = '\0';
> 		return(AUTH_VALID);
> 	} else
>                	return(AUTH_USER);
> }
> 
> This seems to do the opposite.  If the user is authenticated *and* authorized,
> the status is set to VALID, and if the user is authenticated but not
> authorized, the status is set to USER.
> 
> Is this a discrepency or am I misreading the manpage and/or the code?
> 
> -Wyllys Ingersoll
>    Sun Microsystems
> 
> 
> 
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
> 



 Jeffrey Altman * Sr.Software Designer     Kermit 95 2.0 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP
 http://www.kermit-project.org/            Secured with MIT Kerberos, SRP, and 
 kermit-support at columbia.edu               OpenSSL.

More information about the krbdev mailing list