Subject: telnet
To: None <current-users@netbsd.org>
From: Miles Nordin <carton@Ivy.NET>
List: current-users
Date: 10/24/2005 20:01:00
--pgp-sign-Multipart_Mon_Oct_24_20:00:59_2005-1
Content-Type: text/plain; charset=US-ASCII

anyone use telnet recently?

I used to start telnetd in inetd.conf with the '-s' flag, and it would
insist that people use S/Keys.  so I wanted to try it, and typed
'skeyinit' and set up an S/Key for myself.  Now, I find

 1. If I telnet from localhost, I get an [ SRA login ] prompt.  I have
    no idea what this is or how secure it is, and searching the telnet
    and telnetd man pages for 'SRA' and 'sra' turns up nothing, but it
    seems to want plaintext passwords.  If I give it one, I get in.
    If I don't want to use SRA login, there is no way to quit
    'telnet'.  ^] doesn't work, ^C doesn't work, ^D doesn't work,
    empty usernames don't work.

    In any case, I don't get an opportunity to use my S/Key.

 2. If I telnet from Solaris, I get a regular login prompt (after
    removing '-a valid' from the default NetBSD inetd.conf).  I type
    my login: and it says:

    Password:

    no S/Key challenge at all.

 3. If I change to another user and do 'su - carton', same thing.
    Password:, no S/Key challenge.

 4. If I ssh, from localhost or from Solaris, I get 'Password:', no
    S/Key challenge.

 5. 'sudo', from pkgsrc, now gives me S/Key challenges.  It's the only
    thing that does so far.  However, I can't get it to accept the
    babble digest that the 'skey' tool says is right.

I remember using it on NetBSD 1.6, and it was great.  ssh asks three
times for S/Key, then takes plain passwords.  telnet takes S/Keys only
if given '-s' flag.  'su' did not use S/Keys but meh.

I mean, I know S/Keys are not popular, but...so, full disclosure, I've
been pretty anti-PAM from the beginning.  But in a basic sense, what
is the point of this whole PAMification if you don't regression-test
S/Key after importing PAM?  S/Key is really the only out-of-the-box
authenticator where PAM will buy you anything, because any other
GSSAPI/Kerberos stuff needs changes to each individual protocol, so it
is the example everyone uses to defend PAM, and AFAICT it's
broken. wtf?  Do I have to link in pam_pleasejustwork.so or something?
What is ``SRA login'' and why isn't it documented and why can't I get
out of it's prompting?  Anyone else having better luck?

--pgp-sign-Multipart_Mon_Oct_24_20:00:59_2005-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUAQ111vInCBbTaW/4dAQJiawP+P4j0wNAVzYQGWwEsyv2mNhR0+qN8Uox3
yKCnLObQc7qOCU+9auGSbaOHBlblznEhuWV3UwNCKps4e5yD8fc9AKfokg0X7JVF
wvYEMUpZc1LEwtjHnlJSB1/fZWGhvhHtQNdsork5v5lKU25uvpVK+pM4xJHPJAcq
mRWm5LoxWqs=
=BOl4
-----END PGP SIGNATURE-----

--pgp-sign-Multipart_Mon_Oct_24_20:00:59_2005-1--