telnet & ftp official status

Tom Yu tlyu at MIT.EDU
Tue Sep 30 12:00:37 EDT 2008 

"Mike Patnode" <mike.patnode at centrify.com> writes:

> I seem to remember seeing some comments here about on-going support for
> the telnet & gssftp client/servers.   What the current official line?
> Will they continue to be supported as part of the distribution, or are
> they being dropped in preference for OpenSSH?

The FTP and telnet applications, as well as the BSD "rcmd"
applications, are still present in our main source tree.  Past
discussions have led us to prefer removing them from our main source
code distribution, possibly maintaining them as a separate
distribution, but we do not have a definite timeline for doing so,
partly out of a need to gather more information.  There are also
protocol vulnerabilities in these applications, but some users desire
the simplicity of these applications in preference to OpenSSH.

A few questions we need to consider are:

* Who needs these applications, and why?

* What should be done about the protocol vulnerabilities?

* What advantages are there compared to SSH?

* Should we continue bundling the applications?

We invite comments on the above subjects.

Regarding the eventual removal from our main source distribution, what
I would like to find out is who depends on the continued bundling
these applications in our source tree, and their reasons for requiring
that bundling.  If anyone needs to have these applications bundled in
the MIT Kerberos source code, please let us know.

We need volunteers to maintain the applications if we are to remove
them from the main distribution.  Russ Allbery has expressed a
willingness to do so in the past.  Russ, are you still willing to do
this?  Is anyone else willing to help out?

There are protocol vulnerabilities in these applications, some which
more serious than others.  The telnet protocol extensions supporting
Kerberos have known security issues (lack of integrity protection),
and the code only supports single-DES.  The BSD "rcmd" applications
also have known replay-related protocol vulnerabilities when used for
single-DES, and the revised (more secure) protocol only supports
triple-DES.  The FTP protocol extensions supporting GSS-API also have
a few issues involving channel multiplexing.

The continued presence of these applications in the MIT Kerberos
source tree raises a number of issues.  These applications, by virtue
of being login-related applications, present a multitude of
portability challenges.  Operating system interfaces related to user
login activities appear to have the some of the largest variations of
any operating system interfaces.

Additionally, having the release cycle of these applications tied to
that of the core MIT Kerberos source code is problematic.  Security
vulnerabilities discovered in the applications will require an update
to the krb5 package, due to bundling.  For vendors wishing to track
only the core Kerberos libraries and utilities, this can create
difficulties with their change management processes.

-- 
Tom Yu
Development Manager
MIT Kerberos Consortium

More information about the krbdev mailing list