home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Columbia Kermit
/
kermit.zip
/
newsgroups
/
misc.20021006-20030409
/
000366_jaltman2@nyc.rr.com_Thu Mar 6 09:23:16 EST 2003.msg
< prev
next >
Wrap
Text File
|
2020-01-01
|
6KB
|
161 lines
Article: 14163 of comp.protocols.kermit.misc
Path: newsmaster.cc.columbia.edu!panix!newsfeed.mathworks.com!news.maxwell.syr.edu!newsfeed1.cidera.com!news.webusenet.com!cyclone.rdc-nyc.rr.com!news-out.nyc.rr.com!twister.nyc.rr.com.POSTED!not-for-mail
Message-ID: <3E66D40A.1050402@nyc.rr.com>
From: "Jeffrey Altman [Road Runner NYC]" <jaltman2@nyc.rr.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030210
X-Accept-Language: en-us, en
MIME-Version: 1.0
Newsgroups: comp.protocols.kermit.misc
Subject: Re: TLS HowTo Telnet/FTP
References: <f53f8c5c.0303041213.45f6bbe7@posting.google.com> <b4329a$300$1@watsol.cc.columbia.edu> <f53f8c5c.0303051052.327e975c@posting.google.com>
In-Reply-To: <f53f8c5c.0303051052.327e975c@posting.google.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Lines: 138
Date: Thu, 06 Mar 2003 04:49:43 GMT
NNTP-Posting-Host: 66.108.138.151
X-Complaints-To: abuse@rr.com
X-Trace: twister.nyc.rr.com 1046926183 66.108.138.151 (Wed, 05 Mar 2003 23:49:43 EST)
NNTP-Posting-Date: Wed, 05 Mar 2003 23:49:43 EST
Organization: Road Runner - NYC
Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14163
Curtis Steward wrote:
>
> Frank,
>
> My main question at the time would be what instructions would be
> necessary in the iksd.conf file to make TLS for telnet available (see
> below) after successfully entering the passphrase?
>
> For what it's worth, here's my HowTo draft, though it doesn't work :)
> The scenario here is as basic to the "loopback test" for a connection
> that I can make it in hopes that it can be used to address varying
> scenario's. I'd suggest a case study on your site for others, if I
> get this working I'll contrib a copy. Key/Cert detail and generation
> could be provided as well and I'm using .tlslogin to avoid changing
> code and not depend on a single field. There's a lot of interest in
> the Open Source world for x509 host to host Communication, and I
> believe Kermit offers up one of the best possibilities.
>
> Regards,
>
> cs
>
> STEP-BY-STEP
>
> download <tarball>
> mkdir kermit
> cd kermit
> tar �xvzf ../<tarball>
> make redhat80
> cp �p wermit /usr/local/bin/kermit
> cp �p wermit /usr/sbin/iksd
> mkdir ~/.tlslogin
>
> Place certs/keys, don't have password on servers' host cert.
>
> chown �R <user>:<user group> ~<user>/.tlslogin
> cp �p $WS_NAME.crt ~<user>/.tlslogin
> ls /usr/local/ca/cacert.crt
>
> /etc/init.d/xinetd.d stop
> /etc/init.d/xinetd.d start
>
> netstat �an | grep 1649
> tcp 0 0 0.0.0.0:1649 0.0.0.0:* LISTEN
>
>
> kermit
> show features
> �
> Major optional features included:
> Secure Sockets Layer (SSL)
> Transport Layer Security (TLS)
> �
> set host www.amazon.com https /ssl
> iks /user:anonymous /pass:user@host kermit.columbia.edu
>
> iks <host>
>
> /ETC/XINETD.D/KERMIT
>
> # default: on
> # server_args = -A --syslog:6 --database:off
> service kermit
> {
> socket_type = stream
> wait = no
> user = root
> server = /usr/sbin/iksd
> server_args = -A
> disable = no
> }
>
> /ETC/IKSD.CONF
>
> log debug /root/iksd.debug.\v(pid).log
>
> set auth tls rsa-cert-file /root/.tlslogin/c.crt
> set auth tls rsa-key-file /root/.tlslogin/c.unp
> set auth tls verify-dir /usr/local/ca
> set auth tls verify-file /usr/local/ca/cacert.pem
SET TELOPT /SERVER START-TLS REQUIRED
SET TELOPT /SERVER AUTH REFUSED
SET TELOPT /SERVER ENCRYPT REFUSED REFUSED
SET TELOPT /SERVER NEW-ENVIRONMENT REQUIRED
SET AUTH TLS CIPHER-LIST <list based upon the type of certificates RSA
or DSS that you are using>
SET AUTH TLS VERIFY PEER-CERT
> KERMIT CLIENT STARTUP
>
> #!/usr/local/bin/kermit +
> set auth tls rsa-cert-file w.crt ;personal cert pem
> set auth tls rsa-key-file work_priv.pem ;personal key pem
> set auth tls verify-dir /usr/local/ca ;CA directory
> set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem w/hash
> set auth tls verify peer-cert
> set login userid <user>
> set telopt start-tls required
> set auth tls verbose on
> set auth tls debug on
> set telnet debug on
>
> TLS TELNET RESULTS
>
> SSL_handshake:SSLOK SSL negotiation finished successfully
> TLS client finished: 27 7C CD CA 0B 7E 7E F8 FB C9 6E 66
> TLS server finished: 3E EC EF 93 1F 2D 8D 09 07 2B 7B A2
> [TLS - OK]
> [TLS - EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168)
> Mac=SHA1
> Compression: run length compression
> [TLS - subject=/C=US/ST=�detail�]
> [TLS - issuer=/C=US/O=�detail�]
> TELNET SENT WILL AUTHENTICATION
> TELNET SENT WILL NAWS
> TELNET SENT WILL TERMINAL-TYPE
> TELNET SENT WILL NEW-ENVIRONMENT
> TELNET SENT WILL COM-PORT-CONTROL
> <wait for outstanding negotiations>
> TELNET RCVD DO AUTHENTICATION
> TELNET RCVD DO NAWS
> TELNET RCVD WILL SUPPRESS-GO-AHEAD
> TELNET SENT DO SUPPRESS-GO-AHEAD
> TELNET RCVD DO SUPPRESS-GO-AHEAD
> TELNET SENT WILL SUPPRESS-GO-AHEAD
> TELNET RCVD WILL ECHO
> TELNET SENT DO ECHO
> TELNET RCVD DO NEW-ENVIRONMENT
> TELNET RCVD SB AUTHENTICATION SEND IAC SE
> TELNET SENT SB AUTHENTICATION IS NULL NULL IAC SE
> Authentication failed: No authentication method available
> TELNET SENT WONT AUTHENTICATION
> TELNET RCVD DONT TERMINAL-TYPE
> TELNET RCVD SB NEW-ENVIRONMENT SEND IAC SE
> TELNET RCVD DONT COM-PORT-CONTROL
> <no outstanding negotiations>