Columbia Kermit

home *** CD-ROM | disk | FTP | other *** search

/ Columbia Kermit / kermit.zip / newsgroups / misc.20021006-20030409 / 000365_curtis.steward@goodrich.com_Thu Mar 6 09:23:06 EST 2003.msg < prev next >

Wrap

Text File | 2020-01-01 | 6KB | 172 lines

Article: 14161 of comp.protocols.kermit.misc Path: newsmaster.cc.columbia.edu!panix!newsfeed.media.kyoto-u.ac.jp!newsfeed.freenet.de!newsfeed.r-kom.de!newsfeed.stueberl.de!cox.net!news.maxwell.syr.edu!newsfeed.stanford.edu!postnews1.google.com!not-for-mail From: curtis.steward@goodrich.com (Curtis Steward) Newsgroups: comp.protocols.kermit.misc Subject: Re: TLS HowTo Telnet/FTP Date: 5 Mar 2003 10:52:16 -0800 Organization: http://groups.google.com/ Lines: 153 Message-ID: <f53f8c5c.0303051052.327e975c@posting.google.com> References: <f53f8c5c.0303041213.45f6bbe7@posting.google.com> <b4329a$300$1@watsol.cc.columbia.edu> NNTP-Posting-Host: 207.180.255.121 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1046890337 26042 127.0.0.1 (5 Mar 2003 18:52:17 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: 5 Mar 2003 18:52:17 GMT Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14161 fdc@columbia.edu (Frank da Cruz) wrote in message news:<b4329a$300$1@watsol.cc.columbia.edu>... > In article <f53f8c5c.0303041213.45f6bbe7@posting.google.com>, > Curtis Steward <curtis.steward@goodrich.com> wrote: > : Anyone have a HowTo or step-by-step for TLS Authentication on both > : the client and server side (FTP or Telnet) using IKSD? > : > You might find this link helpful: > > http://www.columbia.edu/kermit/ibm_ie.html > > It covers FTP only, but it's more step-by-step than the Kermit Security > Reference: > > http://www.columbia.edu/kermit/security80.html > > which "just doesn't cut it." I agree the latter is not easy going, but > all the information should be in there. > > Step-by-step instructions are generally good for only a single very > specific connection. Anybody who wants to contribute step-by-step > instructions for given scenarios is more than welcome. > > If you have specific questions, feel free to ask them. > > - Frank Frank, My main question at the time would be what instructions would be necessary in the iksd.conf file to make TLS for telnet available (see below) after successfully entering the passphrase? For what it's worth, here's my HowTo draft, though it doesn't work :) The scenario here is as basic to the "loopback test" for a connection that I can make it in hopes that it can be used to address varying scenario's. I'd suggest a case study on your site for others, if I get this working I'll contrib a copy. Key/Cert detail and generation could be provided as well and I'm using .tlslogin to avoid changing code and not depend on a single field. There's a lot of interest in the Open Source world for x509 host to host Communication, and I believe Kermit offers up one of the best possibilities. Regards, cs STEP-BY-STEP download <tarball> mkdir kermit cd kermit tar ∩┐╜xvzf ../<tarball> make redhat80 cp ∩┐╜p wermit /usr/local/bin/kermit cp ∩┐╜p wermit /usr/sbin/iksd mkdir ~/.tlslogin Place certs/keys, don't have password on servers' host cert. chown ∩┐╜R <user>:<user group> ~<user>/.tlslogin cp ∩┐╜p $WS_NAME.crt ~<user>/.tlslogin ls /usr/local/ca/cacert.crt /etc/init.d/xinetd.d stop /etc/init.d/xinetd.d start netstat ∩┐╜an | grep 1649 tcp 0 0 0.0.0.0:1649 0.0.0.0:* LISTEN kermit show features ∩┐╜ Major optional features included: Secure Sockets Layer (SSL) Transport Layer Security (TLS) ∩┐╜ set host www.amazon.com https /ssl iks /user:anonymous /pass:user@host kermit.columbia.edu iks <host> /ETC/XINETD.D/KERMIT # default: on # server_args = -A --syslog:6 --database:off service kermit { socket_type = stream wait = no user = root server = /usr/sbin/iksd server_args = -A disable = no } /ETC/IKSD.CONF log debug /root/iksd.debug.\v(pid).log set auth tls rsa-cert-file /root/.tlslogin/c.crt set auth tls rsa-key-file /root/.tlslogin/c.unp set auth tls verify-dir /usr/local/ca set auth tls verify-file /usr/local/ca/cacert.pem KERMIT CLIENT STARTUP #!/usr/local/bin/kermit + set auth tls rsa-cert-file w.crt ;personal cert pem set auth tls rsa-key-file work_priv.pem ;personal key pem set auth tls verify-dir /usr/local/ca ;CA directory set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem w/hash set auth tls verify peer-cert set login userid <user> set telopt start-tls required set auth tls verbose on set auth tls debug on set telnet debug on TLS TELNET RESULTS SSL_handshake:SSLOK SSL negotiation finished successfully TLS client finished: 27 7C CD CA 0B 7E 7E F8 FB C9 6E 66 TLS server finished: 3E EC EF 93 1F 2D 8D 09 07 2B 7B A2 [TLS - OK] [TLS - EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 Compression: run length compression [TLS - subject=/C=US/ST=∩┐╜detail∩┐╜] [TLS - issuer=/C=US/O=∩┐╜detail∩┐╜] TELNET SENT WILL AUTHENTICATION TELNET SENT WILL NAWS TELNET SENT WILL TERMINAL-TYPE TELNET SENT WILL NEW-ENVIRONMENT TELNET SENT WILL COM-PORT-CONTROL <wait for outstanding negotiations> TELNET RCVD DO AUTHENTICATION TELNET RCVD DO NAWS TELNET RCVD WILL SUPPRESS-GO-AHEAD TELNET SENT DO SUPPRESS-GO-AHEAD TELNET RCVD DO SUPPRESS-GO-AHEAD TELNET SENT WILL SUPPRESS-GO-AHEAD TELNET RCVD WILL ECHO TELNET SENT DO ECHO TELNET RCVD DO NEW-ENVIRONMENT TELNET RCVD SB AUTHENTICATION SEND IAC SE TELNET SENT SB AUTHENTICATION IS NULL NULL IAC SE Authentication failed: No authentication method available TELNET SENT WONT AUTHENTICATION TELNET RCVD DONT TERMINAL-TYPE TELNET RCVD SB NEW-ENVIRONMENT SEND IAC SE TELNET RCVD DONT COM-PORT-CONTROL <no outstanding negotiations>