From owner-freebsd-hackers Sat Aug 14 5:43:25 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from quack.kfu.com (quack.kfu.com [170.1.70.2]) by hub.freebsd.org (Postfix) with ESMTP id 1EDF314EAF for ; Sat, 14 Aug 1999 05:43:22 -0700 (PDT) (envelope-from nsayer@quack.kfu.com) Received: from icarus.kfu.com (icarus.kfu.com [170.1.70.3]) by quack.kfu.com (8.9.2/8.8.5) with ESMTP id FAA75963; Sat, 14 Aug 1999 05:43:40 -0700 (PDT) Received: from quack.kfu.com by icarus.kfu.com with ESMTP (8.9.2//ident-1.0) id FAA18761; Sat, 14 Aug 1999 05:43:40 -0700 (PDT) Message-ID: <37B56471.E6227C20@quack.kfu.com> Date: Sat, 14 Aug 1999 05:43:29 -0700 From: Nick Sayer Reply-To: nsayer@freebsd.org X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: walton@nordicrecords.com Cc: freebsd-hackers@freebsd.org Subject: Re: Whither makefiles for src/crypto/telnet/* ? References: <19990814064443.21756.qmail@modgud.nordicrecords.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms4EBAE83A2FE6D2BD95F4A9A7" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a cryptographically signed message in MIME format. --------------ms4EBAE83A2FE6D2BD95F4A9A7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Dave Walton wrote: > > If you really want to work on an encrypted telnet, check out The > Stanford SRP Authentication Project (http://srp.stanford.edu/srp/). > I'd love to see SRP integrated into the FreeBSD telnet/telnetd. Again, the problem is that there is administrative overhead - a separate password database is required. It is certainly _also_ a candidate to be included (they can all live side by side), but it does not replace the need that SRA fills. SPK requires a separate database because the server needs to know what the password actually is, not just that the one that was typed is correct. Unix passwords are not suitable because you can't turn hamburger back into steak by running the grinder backwards. :-) When both sides of a conversation have a shared secret, you can assure mutual authentication in a way that is not possible with straight Diffie-Hellman. But Unix passwords can't be considered a shared secret because the server doesn't actually know what the password is. It merely knows when an attempt is correct. A workaround for this is to supply the password salt to the client early in an authentication protocol, then treat the encrypted password as a shared secret. That works, except that more and more unixes are starting to use non-portable crypt() procedures. The client has to have the same crypt() as the server in order for the authentication to succeed. Users with $x salts would not be able to log in from non-FreeBSD machines unless our crypt() was compiled into their telnet. --------------ms4EBAE83A2FE6D2BD95F4A9A7 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIIYQYJKoZIhvcNAQcCoIIIUjCCCE4CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC Bg0wggLMMIICNaADAgECAgMBD9UwDQYJKoZIhvcNAQEEBQAwgbkxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMRowGAYDVQQKExFU aGF3dGUgQ29uc3VsdGluZzEpMCcGA1UECxMgVGhhd3RlIFBGIFJTQSBJSyAxOTk4LjkuMTYg MTc6NTUxNjA0BgNVBAMTLVRoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBSU0EgSXNzdWVyIDE5 OTguOS4xNjAeFw05OTA2MzAxODQ5MThaFw0wMDA2MjkxODQ5MThaMEYxHzAdBgNVBAMTFlRo YXd0ZSBGcmVlbWFpbCBNZW1iZXIxIzAhBgkqhkiG9w0BCQEWFG5zYXllckBxdWFjay5rZnUu Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtPesTaUkUiIKTgqTaoEnwlLO1SBnO RPric7/C6uigrRTS79US/3P4Lcbvu4wSy5fnsrfxqlF407Ph8D6AZyzNYStjJIG9JQmjqS/D dftViyzYAews9wnB1/fRv4MHGjLcihsxbvN8tvT97jrRk8NKTjEjZgzVw8bIKMyUAxrOVQID AQABo1QwUjARBglghkgBhvhCAQEEBAMCBaAwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQC MAAwHwYDVR0jBBgwFoAU/j5gnGuMD7DYM8bKxh5YsHE4teAwDQYJKoZIhvcNAQEEBQADgYEA Z42MrXC1NX3nIG/c3WsEPDhhrYKXJx5H41OnPaf6WO1mK8VdNBuxKl05zaFP+MmxoN/FP142 ZUb9lNM+2AnDGt70MIW6NKt9uXgW5Pc0NOaGTm12MnjVGMa0/ugDcIRR/eZ/7PVChF7nz5GI 79q9+YrQeicewj9qy5j4HIDcsFswggM5MIICoqADAgECAgEKMA0GCSqGSIb3DQEBBAUAMIHR MQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRv d24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9u IFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg Q0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNOTgw OTE2MTc1NTM0WhcNMDAwOTE1MTc1NTM0WjCBuTELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxGjAYBgNVBAoTEVRoYXd0ZSBDb25z dWx0aW5nMSkwJwYDVQQLEyBUaGF3dGUgUEYgUlNBIElLIDE5OTguOS4xNiAxNzo1NTE2MDQG A1UEAxMtVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIFJTQSBJc3N1ZXIgMTk5OC45LjE2MIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpeXU1NBfCALuByF9JL+ra44e6yAHAhWEa4/Q kyQfG53uaLK5LE/pk2cXEBceoflDQSO5MKp2l7vz5/2BwLUxi/amUCZU8pUo6xmkHpcesOK4 m8EEmjLQPAlsT+Q1T/B2vwATA09FCGDz/LTQkAGKEsmcun9S6iqTNTY8POQ1LwIDAQABozcw NTASBgNVHRMBAf8ECDAGAQH/AgEAMB8GA1UdIwQYMBaAFHJJwnM0xlX0C3ZygX539IfnxrIO MA0GCSqGSIb3DQEBBAUAA4GBACzHgh8BQz4Hj+5pXKlkgvjAlq2TK8ubUNdAmoHCuqZ2nTyV QNxVweFVgnmrCimm1QzhVyg+j/m71d8Nk1iqWy2LjzPk3VgVNXZyFSm9QvRakgt3X50n25ot ThuCBo7SjVa7ld7bDGUF3pWeAt1TF76+/GvDGiJ6FCthvcKfXnpaMYICHDCCAhgCAQEwgcEw gbkxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJh bnZpbGxlMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEpMCcGA1UECxMgVGhhd3RlIFBG IFJTQSBJSyAxOTk4LjkuMTYgMTc6NTUxNjA0BgNVBAMTLVRoYXd0ZSBQZXJzb25hbCBGcmVl bWFpbCBSU0EgSXNzdWVyIDE5OTguOS4xNgIDAQ/VMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcN AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNOTkwODE0MTI0MzMzWjAjBgkqhkiG 9w0BCQQxFgQUUzj5kpToOBaqzw0U3xsVkEXvxq8wUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG 9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcN AwICASgwDQYJKoZIhvcNAQEBBQAEgYAFIptSSP1Hk0Xo+tesF5SJgvnW02s49eCbobmqqemW OrZm+vWKE55/80hAdpcWk9hW5ZQWUbD3sPRoebw624Jmd61F2VwczgsF2Pg43MTlUway+SDj ktHkYouUwP9uckmBiGKlg83HR+amkCuyvHjIrZ3OAwR5JY2aOCcWINDJKw== --------------ms4EBAE83A2FE6D2BD95F4A9A7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message