home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Columbia Kermit
/
kermit.zip
/
newsgroups
/
misc.20021006-20030409
/
000365_curtis.steward@goodrich.com_Thu Mar 6 09:23:06 EST 2003.msg
< prev
next >
Wrap
Text File
|
2020-01-01
|
6KB
|
172 lines
Article: 14161 of comp.protocols.kermit.misc
Path: newsmaster.cc.columbia.edu!panix!newsfeed.media.kyoto-u.ac.jp!newsfeed.freenet.de!newsfeed.r-kom.de!newsfeed.stueberl.de!cox.net!news.maxwell.syr.edu!newsfeed.stanford.edu!postnews1.google.com!not-for-mail
From: curtis.steward@goodrich.com (Curtis Steward)
Newsgroups: comp.protocols.kermit.misc
Subject: Re: TLS HowTo Telnet/FTP
Date: 5 Mar 2003 10:52:16 -0800
Organization: http://groups.google.com/
Lines: 153
Message-ID: <f53f8c5c.0303051052.327e975c@posting.google.com>
References: <f53f8c5c.0303041213.45f6bbe7@posting.google.com> <b4329a$300$1@watsol.cc.columbia.edu>
NNTP-Posting-Host: 207.180.255.121
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1046890337 26042 127.0.0.1 (5 Mar 2003 18:52:17 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: 5 Mar 2003 18:52:17 GMT
Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14161
fdc@columbia.edu (Frank da Cruz) wrote in message news:<b4329a$300$1@watsol.cc.columbia.edu>...
> In article <f53f8c5c.0303041213.45f6bbe7@posting.google.com>,
> Curtis Steward <curtis.steward@goodrich.com> wrote:
> : Anyone have a HowTo or step-by-step for TLS Authentication on both
> : the client and server side (FTP or Telnet) using IKSD?
> :
> You might find this link helpful:
>
> http://www.columbia.edu/kermit/ibm_ie.html
>
> It covers FTP only, but it's more step-by-step than the Kermit Security
> Reference:
>
> http://www.columbia.edu/kermit/security80.html
>
> which "just doesn't cut it." I agree the latter is not easy going, but
> all the information should be in there.
>
> Step-by-step instructions are generally good for only a single very
> specific connection. Anybody who wants to contribute step-by-step
> instructions for given scenarios is more than welcome.
>
> If you have specific questions, feel free to ask them.
>
> - Frank
Frank,
My main question at the time would be what instructions would be
necessary in the iksd.conf file to make TLS for telnet available (see
below) after successfully entering the passphrase?
For what it's worth, here's my HowTo draft, though it doesn't work :)
The scenario here is as basic to the "loopback test" for a connection
that I can make it in hopes that it can be used to address varying
scenario's. I'd suggest a case study on your site for others, if I
get this working I'll contrib a copy. Key/Cert detail and generation
could be provided as well and I'm using .tlslogin to avoid changing
code and not depend on a single field. There's a lot of interest in
the Open Source world for x509 host to host Communication, and I
believe Kermit offers up one of the best possibilities.
Regards,
cs
STEP-BY-STEP
download <tarball>
mkdir kermit
cd kermit
tar �xvzf ../<tarball>
make redhat80
cp �p wermit /usr/local/bin/kermit
cp �p wermit /usr/sbin/iksd
mkdir ~/.tlslogin
Place certs/keys, don't have password on servers' host cert.
chown �R <user>:<user group> ~<user>/.tlslogin
cp �p $WS_NAME.crt ~<user>/.tlslogin
ls /usr/local/ca/cacert.crt
/etc/init.d/xinetd.d stop
/etc/init.d/xinetd.d start
netstat �an | grep 1649
tcp 0 0 0.0.0.0:1649 0.0.0.0:* LISTEN
kermit
show features
�
Major optional features included:
Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
�
set host www.amazon.com https /ssl
iks /user:anonymous /pass:user@host kermit.columbia.edu
iks <host>
/ETC/XINETD.D/KERMIT
# default: on
# server_args = -A --syslog:6 --database:off
service kermit
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/iksd
server_args = -A
disable = no
}
/ETC/IKSD.CONF
log debug /root/iksd.debug.\v(pid).log
set auth tls rsa-cert-file /root/.tlslogin/c.crt
set auth tls rsa-key-file /root/.tlslogin/c.unp
set auth tls verify-dir /usr/local/ca
set auth tls verify-file /usr/local/ca/cacert.pem
KERMIT CLIENT STARTUP
#!/usr/local/bin/kermit +
set auth tls rsa-cert-file w.crt ;personal cert pem
set auth tls rsa-key-file work_priv.pem ;personal key pem
set auth tls verify-dir /usr/local/ca ;CA directory
set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem w/hash
set auth tls verify peer-cert
set login userid <user>
set telopt start-tls required
set auth tls verbose on
set auth tls debug on
set telnet debug on
TLS TELNET RESULTS
SSL_handshake:SSLOK SSL negotiation finished successfully
TLS client finished: 27 7C CD CA 0B 7E 7E F8 FB C9 6E 66
TLS server finished: 3E EC EF 93 1F 2D 8D 09 07 2B 7B A2
[TLS - OK]
[TLS - EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168)
Mac=SHA1
Compression: run length compression
[TLS - subject=/C=US/ST=�detail�]
[TLS - issuer=/C=US/O=�detail�]
TELNET SENT WILL AUTHENTICATION
TELNET SENT WILL NAWS
TELNET SENT WILL TERMINAL-TYPE
TELNET SENT WILL NEW-ENVIRONMENT
TELNET SENT WILL COM-PORT-CONTROL
<wait for outstanding negotiations>
TELNET RCVD DO AUTHENTICATION
TELNET RCVD DO NAWS
TELNET RCVD WILL SUPPRESS-GO-AHEAD
TELNET SENT DO SUPPRESS-GO-AHEAD
TELNET RCVD DO SUPPRESS-GO-AHEAD
TELNET SENT WILL SUPPRESS-GO-AHEAD
TELNET RCVD WILL ECHO
TELNET SENT DO ECHO
TELNET RCVD DO NEW-ENVIRONMENT
TELNET RCVD SB AUTHENTICATION SEND IAC SE
TELNET SENT SB AUTHENTICATION IS NULL NULL IAC SE
Authentication failed: No authentication method available
TELNET SENT WONT AUTHENTICATION
TELNET RCVD DONT TERMINAL-TYPE
TELNET RCVD SB NEW-ENVIRONMENT SEND IAC SE
TELNET RCVD DONT COM-PORT-CONTROL
<no outstanding negotiations>