home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
kermit.columbia.edu
/
kermit.columbia.edu.tar
/
kermit.columbia.edu
/
newsgroups
/
misc.20010921-20020314
/
000003_fdc@watsun.cc.columbia.edu_Fri Sep 21 17:35:55 2001.msg
< prev
next >
Wrap
Text File
|
2002-03-13
|
4KB
|
94 lines
Flags: 000000000001
Article: 12810 of comp.protocols.kermit.misc
Path: newsmaster.cc.columbia.edu!watsun.cc.columbia.edu!fdc
From: fdc@watsun.cc.columbia.edu (Frank da Cruz)
Newsgroups: comp.protocols.kermit.misc
Subject: Secure version of K95 now downloadable
Date: 21 Sep 2001 19:34:37 GMT
Organization: Columbia University
Lines: 77
Message-ID: <9og4od$ha2$1@newsmaster.cc.columbia.edu>
NNTP-Posting-Host: watsun.cc.columbia.edu
X-Trace: newsmaster.cc.columbia.edu 1001100877 17730 128.59.39.2 (21 Sep 2001 19:34:37 GMT)
X-Complaints-To: postmaster@columbia.edu
NNTP-Posting-Date: 21 Sep 2001 19:34:37 GMT
Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:12810
Wednesday we announced a downloadable trial version of Kermit 95 1.1.20.
With the increasing importance of network security, we have decided to
also make the secure version available to everyone who is allowed by USA
export laws to have it, namely citizens and permanent residents of the
USA and citizens of Canada, who are in the USA or Canada, for use only in
the USA and Canada. Don't blame us for law.
This version of Kermit 95 runs on Windows 95, 98, ME, NT, 2000, and XP
on Intel platforms only. It supports the following security methods:
. MIT Kerberos IV
. MIT Kerberos V
. Secure Sockets Layer / Transport Layer Security (SSL/TSL)
. Stanford Secure Remote Password (SRP)
All of these are IETF-approved forms of Internet security that are
specified in RFCs and in use at major universities, corporations,
government agencies, and other large organizations. This is not
do-it-yourself public key security; it's centrally managed security
requiring a professional network/systems security staff and secure
authentication database.
You can use the security features of Kermit 95 if you are an authorized
user of a host that supports at least one of the security methods listed.
A fair amount of configuration is needed to make Kermit 95 select the
appropriate method and use the parameters relevant to your site, but all
the tools are provided. Configuration and setup is documented in:
http://www.columbia.edu/kermit/security.html
This download is intended mainly for central-site technical staff to
evaluate Kermit 95 for use within their organization. End-users can not
use it to obtain secure connections in isolation: a secure connection
connection requires security on both ends.
To anticipate the inevitable question, "Why bother with all this stuff
when SSH is so much simpler?": THE MORE SIMPLE, THE LESS SECURE. If you
recognize that any security scheme can be compromised, you also know how
important it is to be able to recover from compromised security keys,
e.g. by revoking them. SSH public-key authorization implementations
leave key files on the hard disk. Anybody who can steal your key file
can decrypt it offline at their leisure to obtain access to all your
hosts. There is no way to revoke SSH keys other than for the affected
user to log in manually to every host and generate new keys (which will
not be possible of the identity thief has already changed them). With
Kerberos and SRP, on the other hand, there are no key files on the disk
to be stolen. If somebody manages to steal your Kerberos identity some
other way (e.g. by guessing your pass phrase), it can be revoked
centrally and the revocation applies immediately to ALL the hosts you
access using Kerberos. It's the classic tradeoff: greater effort up
front buys you more safety and less grief (and effort) down the road.
Objection number 2: "All my hosts require SSH so I even if it's a bad
idea I still need it!": Yes, we know that, and we will support SSH
(v1 *and* v2) in the next Kermit 95 release, but we won't offer it up as
a security panacea.
If you're a network/systems security professional, we invite you to
download the secure K95 demo and try it out. If you have questions or
comments, feel free to send them to us at the regular address:
kermit-support@columbia.edu
If you are a concerned end user, please pass this announcement along to
your support staff, and point out that K95 bulk and site licenses are
dirt cheap:
http://www.columbia.edu/kermit/k95pricing.html
You can download the secure K95 trial version on our updated download page:
http://www.columbia.edu/kermit/k95download.html
Thanks.
- Frank