tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: telnetd: Authorization failed & Connection closed



On Sat, 13 Mar 2010, Christos Zoulas wrote:

> On Mar 14,  2:30am, hubert%feyrer.de@localhost (Hubert Feyrer) wrote:
> -- Subject: Re: telnetd: Authorization failed & Connection closed
>
> | On Sun, 14 Mar 2010, Hubert Feyrer wrote:
> | >>       valid  Only allow connections when the remote user can pro-
> | >>              vide valid authentication information to identify the
> | >>              remote user.  The login(1) command will provide any
> | >>              additional user verification needed if the remote
> | >>              user is not allowed automatic access to the specified
> | >>              account.
> | >>
> | >> So vista and juniper don't implement SRA and the connection is not 
> allowed.
> | >> The default NetBSD telnetd configuration is more secure since passwords 
> are
> | >> not sent in plaintext over the network. This is why valid is the default.
> | >> If you want to send your passwords in plaintext, feel free to change it 
> for
> | >> your system, but I don't think that the change is appropriate for 
> everyone.
> | >
> | > And I can't have a steak because a three-year-old can't chew it?
> | > Seriously, it sounds pretty broken to rather not have a working telnet 
> than
> | > to do just what telnet is intended for.
> |
> | Plus: I read the part about login(1) that it should fall back and ask me
> | for my login & password. Apparently it does not - a feature?
>
> I think you are mis-reading it; if there is not enough information from SRA
> to log you in without a password, it will pass you to login to do it.

I think its not clear and you both misread it. There is no "if" here,
because the first sentence stands on its own. The "fallback to login(1)"
is what happens with "none" but Love got it right: "valid" requires SRA.

The page could have some clarifications as to what "authentication" means
in the context of telnetd and how "authentication" and "user verification"
are not the same.

As to whether we provide "none" as a useful example or a full security
"user" example that will have to be changed in the vast majority of cases
it probably doesn't matter, but "valid" is currently misleading and
probably the wrong setting to use for many..

iain




Home | Main Index | Thread Index | Old Index