Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!hellgate.utah.edu!caen!zaphod.mps.ohio-state.edu!rpi!uupsi!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Are There Standards For Secure Mail Transfer Via SMTP?
Message-ID: <14569:Feb1315:15:4791@kramden.acf.nyu.edu>
Date: 13 Feb 91 15:15:47 GMT
References: <9102102022.AA26112@osiris.MIT.EDU> <28229:Feb1200:29:5391@kramden.acf.nyu.edu> <1991Feb12.135915.1@rogue.llnl.gov>
Organization: IR
Lines: 74

In article <1991Feb12.135915.1@rogue.llnl.gov> oberman@rogue.llnl.gov writes:
  [ RFC 931 doesn't help him, and it doesn't help on any non-TCP/IP net ]
> I do think it's a bad idea to espouse a method because "it will be good enough
> for me". A real solution should be good enough for everyone.

Dave Borman told me the same thing about RFC 1143. ``It isn't the only
way to stop TELNET's option negotiation loops,'' he said (paraphrased),
``and I don't like its approach. So it must not become a standard.''

There's one missing step. Why does a solution have to be perfect for
everyone? Why can't all solutions be published in parallel? People who
like one solution will use it. People who like another will use that.
I've never said that RFC 1143 is the *only* way to fix TELNET, and I'm
not saying now that RFC 931 is the *only* way to improve mail security.

RFC 931 would, however, prevent many---if not most---of the SMTP
forgeries that go on now. So it is worthwhile for many Internet sites,
even if not for LLNL or BITNET or the United States Postal Service.

Below is a typescript of compiling, installing, and testing authd 3.01
on a Sun 4. Sure, RFC 931 is limited to the Internet. Sure, RFC 931
doesn't fix TCP's security holes. But it's a damn sight better than
nothing, it's hellishly easy to get going, it helps Internet security
for more than just mail, it will help CERT track network intruders, and
I don't understand the mindset of anyone who would recommend that it
*not* be installed.

(For the people who don't get alt.sources, I've made authd 3.01, my
sendmail and talk patches, and Nick Sayer's nntpd patches available for
anonymous ftp from 128.122.128.22 in pub/hier/inet/rfc931. More coming.)

---Dan

Script started on Wed Feb 13 10:05:04 1991
csh> make
cc -g -o authd authd.c
rm -f tcpuid
ln authd tcpuid
rm -f tcpuname
ln authd tcpuname
cc -g -c authuser.c
cc -g -o test test.c authuser.o
csh> ./INSTALL
Each action will be printed before it is run. Press return to proceed.
1. Install authd, tcpuid, and tcpuname.
! install -c -g kmem -m 02755 authd /etc/authd: 
! rm -f /etc/tcpuid; ln /etc/authd /etc/tcpuid: 
! rm -f /etc/tcpuname; ln /etc/authd /etc/tcpuname: 
2. Install the authuser library.
! install -c -m 0444 authuser.h /usr/include/authuser.h: 
! ar rv /usr/lib/libauthuser.a authuser.o: 
r - authuser.o
! ranlib /usr/lib/libauthuser.a: 
! chmod 644 /usr/lib/libauthuser.a: 
3. Make the man pages available.
! install -c -m 0444 authuser.3 /usr/man/man3/authuser.3: 
! install -c -m 0444 authd.8 /usr/man/man8/authd.8: 
! install -c -m 0444 tcpuid.8 /usr/man/man8/tcpuid.8: 
! install -c -m 0444 tcpuname.8 /usr/man/man8/tcpuname.8: 
4. Make sure an auth port is in /etc/services.
Let me glance at /etc/services for you...
Okay, you have it already. Let's continue.
5. Enable auth in /etc/inetd.conf.
Let me glance at /etc/inetd.conf for you...
Okay, it's already there. That's it!
csh> ./test
system says host is 127.0.0.1
authuser says host is 127.0.0.1
system says username is root
authd says username is root
Everything looks okay to me.
csh> exit
csh> 
script done on Wed Feb 13 10:05:50 1991