home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
kermit.columbia.edu
/
kermit.columbia.edu.tar
/
kermit.columbia.edu
/
newsgroups
/
misc.20010921-20020314
/
000332_jaltman@watsun.cc.columbia.edu_Tue Jan 29 17:17:09 EST 2002.msg
< prev
next >
Wrap
Text File
|
2002-03-13
|
4KB
|
94 lines
Article: 13170 of comp.protocols.kermit.misc
Path: newsmaster.cc.columbia.edu!watsun.cc.columbia.edu!jaltman
From: jaltman@watsun.cc.columbia.edu (Jeffrey Altman)
Newsgroups: alt.sys.pdp10,alt.folklore.computers,comp.protocols.kermit.misc
Subject: Re: Internet Kermit Service (was Serving non-MS-word *.doc files)
Date: 29 Jan 2002 22:12:18 GMT
Organization: Columbia University
Lines: 77
Message-ID: <a376o2$4ck$1@newsmaster.cc.columbia.edu>
References: <3C4A7DF8.2AEC4BD7@trailing-edge.com> <a36n8d$1a64$1@citadel.in.taronga.com> <a36pti$2cv$1@watsol.cc.columbia.edu> <a36thl$1dli$1@citadel.in.taronga.com>
NNTP-Posting-Host: watsun.cc.columbia.edu
X-Trace: newsmaster.cc.columbia.edu 1012342338 4500 128.59.39.2 (29 Jan 2002 22:12:18 GMT)
X-Complaints-To: postmaster@columbia.edu
NNTP-Posting-Date: 29 Jan 2002 22:12:18 GMT
Xref: newsmaster.cc.columbia.edu alt.sys.pdp10:21145 alt.folklore.computers:288179 comp.protocols.kermit.misc:13170
In article <a36thl$1dli$1@citadel.in.taronga.com>,
Peter da Silva <peter@taronga.com> wrote:
: In article <a36pti$2cv$1@watsol.cc.columbia.edu>,
: Frank da Cruz <fdc@columbia.edu> wrote:
: >In article <a36n8d$1a64$1@citadel.in.taronga.com>,
: >Peter da Silva <peter@taronga.com> wrote:
: >: In article <a36m5k$79l$1@watsol.cc.columbia.edu>,
: >: Frank da Cruz <fdc@columbia.edu> wrote:
: >: > http://www.columbia.edu/kermit/wiksduser.html
:
: >: Does this support non-reusable tokens for authentication?
:
: >: If so, do you have a scriptable client for it that will run as a
: >: service...
:
: >It runs as a service in Windows NT, 2000, and XP.
:
: The client? So I can have it wake up at o-dark-hundred and copy some files
: between two boxes over a single well-known port?
Internet Kermit Service is a daemon, a service, something other people
connect to.
If you want a client to run at a specific time you don't need a service
for that. You can simply use the Scheduled Tasks folder or one of the
many Run At or Cron style command schedulers.
: > Kerberos 4 and 5
: > NTLM
: > SRP
:
: How about RSA/DSA public keys or equivalent? Kerberos and NTLM require more
: connectivity between the boxes... if I had an unfiltered connection between
: the boxes I'd just use Lan Mangler with NTLM authentication.
Frank left SSL/TLS support. You can use any X.509 certificates (RSA or DSS)
to establish a pure SSL/TLS or TELNET START_TLS session. We support
session re-use and client certificate authentication in both the K95
client and the Internet Kermit Service. For IKS, you need to provide
a custom DLL to indicate how you want X.509 cert to userid mappings to
occur and how you want <userid, cert> pairs to be authorized.
: > http://www.columbia.edu/kermit/security.html
:
: The advantage of RSA authentication is that you don't need to have a
: third trusted host that both systems can independently connect to.
You most certainly do need a third trusted host. The question is:
how frequently do you contact that host?
If you are referring to the raw public key authentication used by SSH
then you are setting yourself up for disaster. (This is one debate
I do not want to have again.)
: Also, if each public/private key pair is only used between one pair of
: computers, as in this scenario, revocation is easy. There's only one
: system that has the public key that needs to have it removed. Of course
: this could equally well be done using symmetrical encryption with a
: shared secret, so we're not taking advantage of the full capabililties
: of public key authentication... we're just taking advantage of the fact
: that the protocol is implemented in a lot of places so we don't have to
: reinvent the wheel.
Someone has to remember to revoke it. If you want to use X.509 certificates
in this manner you can do so. Just use self-signed certs.
: And, of course, we *don't* fully trust the remote box. We only let it access
: files in a specific subset of the file tree that's not trusted for general
: use.
That should be true even if you did trust the remote box.
Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 available now!!!
The Kermit Project @ Columbia University includes Telnet, FTP and HTTP
http://www.kermit-project.org/ secured with Kerberos, SRP, and
kermit-support@columbia.edu OpenSSL. Interfaces with OpenSSH