Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!snorkelwacker.mit.edu!apple!agate!shelby!MIT.EDU!jon
From: jon@MIT.EDU (Jon A. Rochlis)
Newsgroups: comp.protocols.kerberos
Subject: Re: Kerberized clients and servers
Message-ID: <9101240429.AA00597@delwin.MIT.EDU>
Date: 24 Jan 91 04:29:17 GMT
References: <1991Jan23.054126.22458@news.iastate.edu>
Sender: news@shelby.stanford.edu (USENET News System)
Organization: Internet-USENET Gateway at Stanford University
Lines: 26


   
      Telnet just uses /bin/login, so if that is kerberized then so is
   telnet.

No, no, no.  If you just get login then you will still be typing a
password in the clear.  You need to change telnetd/rlogind to decode a
kerberos ticket, check authorization and call a modified login which
won't then ask for a password.

MIT distributes a modified rlogin(d) and login with the standard
Kerberos distribution.  It's been there as long as we have been giving
away Kerberos.

If you are just talking about getting tickets when one logs in, then login
can indeed be usually modified to do this, but that was not the
original question (I think).

  I suppose a new telnet option to pass authentication data
   would be an interesting idea...  

We have a telnet/telnetd that works with V4 and V5 and which may well
be distributed as part of 4.4BSD and V5 Kerberos.  It has come out of
some IETF work done on authentication and encryption in telnet.

		-- Jon