Future of kerberised telnet, login, rsh, ftp?

Jeffrey Altman jaltman at MIT.EDU
Tue Jul 5 21:29:06 EDT 2005 

Andrew:

These tools still have extremely wide use.   I cannot speak for Heimdal
but my opinion regarding the MIT distribution is that these apps should
be separated from the core libraries and be maintained and distributed
in an independent package.

Telnet for example should be built using OpenSSL to provide START-TLS
and Kerberos 5 for authentication using the TLS finished messages as
channel bindings.   As long as the apps are shipped and built within
Kerberos there becomes a chicken and egg situation.   TLS cannot be
built with Kerberos ciphers if the Kerberos distribution contains apps
that must be built with TLS.

I anticipate that MIT will be able to announce in the near future that
these apps will be removed in a future release.

Jeffrey Altman


Andrew Bartlett wrote:
> As a relative newcomer to the kerberos world, I'm wondering what the
> future of tools like kerberised telnet, rsh, ftp and the like is.  It
> seems from my viewpoint that OpenSSH (with the gssapi mode) and things
> like pam_krb5 have taken over from these tools.
> 
> I note that recent security advisories for both distributions were in
> these 'utility' programs (telnet, ftpd etc) rather than in the core
> kerberos code.  
> 
> Do these tools still have wide use?  Is there a plan to phase them out,
> or maintain them separately to the main kerberos distribution?
> 
> (This was brought up by a look we are taking on samba-technical about
> what proportion of Heimdal to import, with a strong view to avoid
> including these apps).
> 
> Andrew Bartlett
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2707 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050705/c4b87608/attachment.bin

More information about the krbdev mailing list