Then it looks like Debian's telnet does not support client certificates. I don't know what "telnet-ssl" is or was. If this was Tim Hudson's old implementation using the TELNET AUTH SSL hack then it should be abandoned in favor of one that supports the IETF TELNET START_TLS option. The code that Peter Runestig and I wrote supports START_TLS as well as the TELNET FORWARD-X option for securing X Windows sessions. It also supports TLS session reuse for improved performance.
It also provides several sample implementations of the X509_to_user() function so you can specify how your client's certificates once verified should be mapped to userid's. You can find it at: http://www.runestig.com/osp.html It comes with a client as well. However, the best TLS Telnet client for *nix is C-Kermit 8.0: http://www.kermit-project.org/ckermit.html Security description at http://www.kermit-project.org/security.html > -----Mensaje original----- > De: Jeffrey Altman [mailto:[EMAIL PROTECTED]] > Enviado el: jueves, 06 de junio de 2002 19:58 > Para: [EMAIL PROTECTED] > CC: [EMAIL PROTECTED] > Asunto: Re: telnetd-ssl > > > That depends on whose Telnetd you are using and how you want the > client's to be authorized. > > -I'm on a Debian 2.4.6 with telnetd-ssl and telnet-ssl (0.17), openssl = > 0.9.6-c and their libs, latest libc6 and depending libs. This is testing = > versi=F3n on Debian. > > -I've talked with the responsible of package and he said that the = > original sources are from telnetssl and he never tested the = > authentication certificate client. I've tried to do this with this = > config: > > -CA root certificate installed and accessible. > -Two x509 certs verified certs created with demoCa (signed by CA root = > certificate):=20 > > *telnetd cert subject and issuer > > subject=3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 = > S.A./OU=3DTelnet/CN=3Dzidane.in3.es > issuer =3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 Certificate = > Authority/OU=3DIN3 Certificate Authority/CN=3DIN3 > > *newcert cert subject and issuer > > subject=3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 = > S.A./OU=3Dstaff/CN=3D<user name>, where user name is valid user system > issuer =3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 Certificate = > Authority/OU=3DIN3 Certificate Authority/CN=3DIN3 > > -telnetd entry on inetd.conf: > > telnets stream tcp nowait telnetd.telnetd /usr/sbin/tcpd = > /usr/sbin/in.telnetd -z cert=3D/etc/ssl/certs/telnetd.pem -z = > key=3D/etc/ssl/private/telnetd.key -z certrequired -z secure -z = > verify=3D1 -z certsok > > -command line from bash: > > telnet-ssl -z cert=3Dnewcert.pem -z debug -z verbose -z = > key=3Dnewcert.key -z verify=3D1 zidane.in3.es 992 > > The exit during execeution of client: > > [SSL - attempting to switch on SSL] > [SSL - handshake starting] > SSL_connect:UNKWN before/connect initialization > SSL_connect:23WCHA SSLv2/v3 write client hello A > SSL_connect:3RSH_A SSLv3 read server hello A > Certificate[0] subject=3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 = > S.A./OU=3DTelnet/CN=3Dzidane.in3.es > Certificate[0] issuer =3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 = > Certificate Authority/OU=3DIN3 Certificate Authority/CN=3DIN3 = > Certificate Authority > SSL_connect:error in 3RSC_B SSLv3 read server certificate B > SSL_connect:error in 3RSC_B SSLv3 read server certificate B > [SSL - FAILED (-1)] > telnet: Unable to ssl_connect to remote host: Success > 3752:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate = > verify failed:s3_clnt.c:769: > [SSL - SSL_accept error] > Connection closed by foreign host. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > ------_=_NextPart_001_01C20DFE.B2E6AE54 > Content-Type: text/x-vcard; > name="Manuel Guerrero.vcf" > Content-Description: Manuel Guerrero.vcf > Content-Disposition: attachment; > filename="Manuel Guerrero.vcf" > Content-Transfer-Encoding: base64 > > QkVHSU46VkNBUkQNClZFUlNJT046Mi4xDQpOOkd1ZXJyZXJvO01hbnVlbA0KRk46TWFudWVsIEd1 > ZXJyZXJvDQpFTUFJTDtQUkVGO0lOVEVSTkVUOm1ndWVycmVyb0BpbjMuZXMNClJFVjoyMDAxMDUy > OVQxNjMxMTBaDQpFTkQ6VkNBUkQNCg== > > ------_=_NextPart_001_01C20DFE.B2E6AE54-- > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
