Dave Walton wrote: > > On 14 Aug 99, at 5:43, Nick Sayer wrote: > > > Dave Walton wrote: > > > > > > If you really want to work on an encrypted telnet, check out The > > > Stanford SRP Authentication Project (http://srp.stanford.edu/srp/). > > > I'd love to see SRP integrated into the FreeBSD telnet/telnetd. > > > > Again, the problem is that there is administrative overhead - a separate > > password database is required. > > Yes, there is /etc/tpasswd to deal with. I guess what I should have > said is that I'd love to see SRP integrated into FreeBSD (as PAM, > perhaps?). Properly done, the various system utilities would keep > passwd, master.passwd and tpasswd in sync, and SRP > authentication/encryption would be available to telnet, ftp, or > anything else.
True enough. You'd have to force your users to run 'passwd' once as a conversion step, and you'd have to modify scripts like 'adduser' to set up the new format. > (Disclaimer: Authentication and PAM are way outside of anything I > know anything about, so I really have no idea what it would take to > make that work.) > > > Keep in mind, also, that as long as AUTHTYPE_SRP and > > AUTHTYPE_SRA are different numbers, both could be present. I > > would even conceed that SRP should be tried before SRA. But I'd > > sure as hell rather use SRA than nothing. > > Ok, Nick implements SRA for folks in heterogenous NIS > environments, and Kris implements SRP for those of us without > that restriction. How's that for a non-cryptographic compromise? :) I can commit SRA into src/crypto/telnet immediately, if it is appropriate to do so. > Unfortunately, this whole discussion ignores one ugly problem: > client availability. It's a chicken and egg problem. But I am sure that if we build it, they will come. But only if it comes by default and has no overhead and works with legacy systems -- that is, it is a no effort drop-in. People who type "telnet" will just magically see that their session is encrypted without them doing anything different. THAT'S the only way it will start to happen.
smime.p7s
Description: S/MIME Cryptographic Signature
