June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
4.15. Using Kerberos with Telnet
Problem
You want to use Telnet securely, and you have an MIT Kerberos-5 environment.
Solution
Use the Kerberos-aware (“Kerberized”) version of telnet. Assuming you have set up a Kerberos realm [Recipe 4.11] and hosts [Recipe 4.13], enable the Kerberized Telnet daemon on your desired destination machine:
/etc/xinetd.d/krb5-telnet:
service telnet
{
...
disable = no
}and disable the standard Telnet daemon:
/etc/xinetd.d/telnet:
service telnet
{
...
disable = yes
}Then restart xinetd on that machine [Recipe 3.3] (suppose its hostname is moof):
moof# kill -HUP `pidof xinetd`
and check /var/log/messages for any error messages. Then, on a client machine (say, dogcow) in the same realm, DOGOOD.ORG:
dogcow$ kinit -f Password for pat@DOGOOD.ORG: dogcow$ /usr/kerberos/bin/telnet -fax moof Trying 10.1.1.6... Connected to moof.dogood.org (10.1.1.6). Escape character is '^]'. Waiting for encryption to be negotiated... [ Kerberos V5 accepts you as ``pat@DOGOOD.ORG'' ] [ Kerberos V5 accepted forwarded credentials ] Last login: Fri Mar 7 03:28:14 from localhost.localdomain You have mail. moof$
You now have an encrypted Telnet connection, strongly and automatically authenticated via Kerberos.
Discussion
Often, people think of Telnet as synonymous with “insecure,” but this is not so. The Telnet protocol allows for strong authentication and encryption, though it is seldom implemented. With the proper infrastructure, Telnet can be quite secure, as shown here.
The -f flag to ...