Dave Walton wrote: > > If you really want to work on an encrypted telnet, check out The > Stanford SRP Authentication Project (http://srp.stanford.edu/srp/). > I'd love to see SRP integrated into the FreeBSD telnet/telnetd.
Again, the problem is that there is administrative overhead - a separate password database is required. It is certainly _also_ a candidate to be included (they can all live side by side), but it does not replace the need that SRA fills. SPK requires a separate database because the server needs to know what the password actually is, not just that the one that was typed is correct. Unix passwords are not suitable because you can't turn hamburger back into steak by running the grinder backwards. :-) When both sides of a conversation have a shared secret, you can assure mutual authentication in a way that is not possible with straight Diffie-Hellman. But Unix passwords can't be considered a shared secret because the server doesn't actually know what the password is. It merely knows when an attempt is correct. A workaround for this is to supply the password salt to the client early in an authentication protocol, then treat the encrypted password as a shared secret. That works, except that more and more unixes are starting to use non-portable crypt() procedures. The client has to have the same crypt() as the server in order for the authentication to succeed. Users with $x salts would not be able to log in from non-FreeBSD machines unless our crypt() was compiled into their telnet.
smime.p7s
Description: S/MIME Cryptographic Signature
