Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 15 Aug 1999 15:33:37 -0700
From:      Nick Sayer <nsayer@quack.kfu.com>
To:        walton@nordicrecords.com
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Whither makefiles for src/crypto/telnet/* ?
Message-ID:  <37B74041.F24CCFB4@quack.kfu.com>
References:  <19990815221506.26168.qmail@modgud.nordicrecords.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Dave Walton wrote:
> 
> On 14 Aug 99, at 5:43, Nick Sayer wrote:
> 
> > Dave Walton wrote:
> > >
> > > If you really want to work on an encrypted telnet, check out The
> > > Stanford SRP Authentication Project (http://srp.stanford.edu/srp/).
> > > I'd love to see SRP integrated into the FreeBSD telnet/telnetd.
> >
> > Again, the problem is that there is administrative overhead - a separate
> > password database is required.
> 
> Yes, there is /etc/tpasswd to deal with.  I guess what I should have
> said is that I'd love to see SRP integrated into FreeBSD (as PAM,
> perhaps?).  Properly done, the various system utilities would keep
> passwd, master.passwd and tpasswd in sync, and SRP
> authentication/encryption would be available to telnet, ftp, or
> anything else.

True enough. You'd have to force your users to run 'passwd' once as a
conversion step, and you'd have to modify scripts like 'adduser' to
set up the new format.

> (Disclaimer:  Authentication and PAM are way outside of anything I
> know anything about, so I really have no idea what it would take to
> make that work.)
> 
> > Keep in mind, also, that as long as AUTHTYPE_SRP and
> > AUTHTYPE_SRA are different numbers, both could be present. I
> > would even conceed that SRP should be tried before SRA. But I'd
> > sure as hell rather use SRA than nothing.
> 
> Ok, Nick implements SRA for folks in heterogenous NIS
> environments, and Kris implements SRP for those of us without
> that restriction.  How's that for a non-cryptographic compromise?  :)

I can commit SRA into src/crypto/telnet immediately, if it is
appropriate to do so.
 
> Unfortunately, this whole discussion ignores one ugly problem:
> client availability. 

It's a chicken and egg problem. But I am sure that if we build it,
they will come. But only if it comes by default and has no
overhead and works with legacy systems -- that is, it is a no
effort drop-in. People who type "telnet" will just magically see
that their session is encrypted without them doing anything different.
THAT'S the only way it will start to happen.
[-- Attachment #2 --]
0a	*H
R0N10	+0	*H

0050
	*H
010	UZA10UWestern Cape10UDurbanville10U
Thawte Consulting1)0'U Thawte PF RSA IK 1998.9.16 17:551604U-Thawte Personal Freemail RSA Issuer 1998.9.160
990630184918Z
000629184918Z0F10UThawte Freemail Member1#0!	*H
	nsayer@quack.kfu.com00
	*H
0=iIڠI𔳵HDs蠭s-ﻌ˗粷Qxӳ>g,a+c$%	/uU,,	ѿ2܊1n|:ѓJN1#f(̔UT0R0	`HB0U0U00U#0>`k3Xq80
	*H
gp5} ok<8a'GS=Xf+]4*]9͡Oɱ?^6eF>	04}x44Nmv2xƴpQB^ϑڽz'?j˘ܰ[090
0
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
980916175534Z
000915175534Z010	UZA10UWestern Cape10UDurbanville10U
Thawte Consulting1)0'U Thawte PF RSA IK 1998.9.16 17:551604U-Thawte Personal Freemail RSA Issuer 1998.9.1600
	*H
0ĥ_!}$k kГ$h,OgCA#0v1P&T(⸛2<	lO5OvOE`АɜR*56<<5/7050U00U#0rIs4Uvr~wƲ0
	*H
,ǂC>i\d+˛P@ºv<@UUy
)W(>
X[-3X5vr)BZw_'ۚ-NҍVeޕSk"z+aŸ^zZ100010	UZA10UWestern Cape10UDurbanville10U
Thawte Consulting1)0'U Thawte PF RSA IK 1998.9.16 17:551604U-Thawte Personal Freemail RSA Issuer 1998.9.160	+0	*H
	1	*H
0	*H
	1
990815223340Z0#	*H
	1ӊ>gF&pUs0R	*H
	1E0C0
*H
0*H
0+0
*H
@0
*H
(0
	*H
2w9[δ0
}g|&jk.mk@R&dWRwSO)tq~
کo`9#Y֟1xM<N
[`6̂䟀Ck.BsL2

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37B74041.F24CCFB4>