Columbia Kermit

home *** CD-ROM | disk | FTP | other *** search

/ Columbia Kermit / kermit.zip / newsgroups / misc.20021006-20030409 / 000366_jaltman2@nyc.rr.com_Thu Mar 6 09:23:16 EST 2003.msg < prev next >

Wrap

Text File | 2020-01-01 | 6KB | 161 lines

Article: 14163 of comp.protocols.kermit.misc Path: newsmaster.cc.columbia.edu!panix!newsfeed.mathworks.com!news.maxwell.syr.edu!newsfeed1.cidera.com!news.webusenet.com!cyclone.rdc-nyc.rr.com!news-out.nyc.rr.com!twister.nyc.rr.com.POSTED!not-for-mail Message-ID: <3E66D40A.1050402@nyc.rr.com> From: "Jeffrey Altman [Road Runner NYC]" <jaltman2@nyc.rr.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030210 X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: comp.protocols.kermit.misc Subject: Re: TLS HowTo Telnet/FTP References: <f53f8c5c.0303041213.45f6bbe7@posting.google.com> <b4329a$300$1@watsol.cc.columbia.edu> <f53f8c5c.0303051052.327e975c@posting.google.com> In-Reply-To: <f53f8c5c.0303051052.327e975c@posting.google.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Lines: 138 Date: Thu, 06 Mar 2003 04:49:43 GMT NNTP-Posting-Host: 66.108.138.151 X-Complaints-To: abuse@rr.com X-Trace: twister.nyc.rr.com 1046926183 66.108.138.151 (Wed, 05 Mar 2003 23:49:43 EST) NNTP-Posting-Date: Wed, 05 Mar 2003 23:49:43 EST Organization: Road Runner - NYC Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14163 Curtis Steward wrote: > > Frank, > > My main question at the time would be what instructions would be > necessary in the iksd.conf file to make TLS for telnet available (see > below) after successfully entering the passphrase? > > For what it's worth, here's my HowTo draft, though it doesn't work :) > The scenario here is as basic to the "loopback test" for a connection > that I can make it in hopes that it can be used to address varying > scenario's. I'd suggest a case study on your site for others, if I > get this working I'll contrib a copy. Key/Cert detail and generation > could be provided as well and I'm using .tlslogin to avoid changing > code and not depend on a single field. There's a lot of interest in > the Open Source world for x509 host to host Communication, and I > believe Kermit offers up one of the best possibilities. > > Regards, > > cs > > STEP-BY-STEP > > download <tarball> > mkdir kermit > cd kermit > tar ∩┐╜xvzf ../<tarball> > make redhat80 > cp ∩┐╜p wermit /usr/local/bin/kermit > cp ∩┐╜p wermit /usr/sbin/iksd > mkdir ~/.tlslogin > > Place certs/keys, don't have password on servers' host cert. > > chown ∩┐╜R <user>:<user group> ~<user>/.tlslogin > cp ∩┐╜p $WS_NAME.crt ~<user>/.tlslogin > ls /usr/local/ca/cacert.crt > > /etc/init.d/xinetd.d stop > /etc/init.d/xinetd.d start > > netstat ∩┐╜an | grep 1649 > tcp 0 0 0.0.0.0:1649 0.0.0.0:* LISTEN > > > kermit > show features > ∩┐╜ > Major optional features included: > Secure Sockets Layer (SSL) > Transport Layer Security (TLS) > ∩┐╜ > set host www.amazon.com https /ssl > iks /user:anonymous /pass:user@host kermit.columbia.edu > > iks <host> > > /ETC/XINETD.D/KERMIT > > # default: on > # server_args = -A --syslog:6 --database:off > service kermit > { > socket_type = stream > wait = no > user = root > server = /usr/sbin/iksd > server_args = -A > disable = no > } > > /ETC/IKSD.CONF > > log debug /root/iksd.debug.\v(pid).log > > set auth tls rsa-cert-file /root/.tlslogin/c.crt > set auth tls rsa-key-file /root/.tlslogin/c.unp > set auth tls verify-dir /usr/local/ca > set auth tls verify-file /usr/local/ca/cacert.pem SET TELOPT /SERVER START-TLS REQUIRED SET TELOPT /SERVER AUTH REFUSED SET TELOPT /SERVER ENCRYPT REFUSED REFUSED SET TELOPT /SERVER NEW-ENVIRONMENT REQUIRED SET AUTH TLS CIPHER-LIST <list based upon the type of certificates RSA or DSS that you are using> SET AUTH TLS VERIFY PEER-CERT > KERMIT CLIENT STARTUP > > #!/usr/local/bin/kermit + > set auth tls rsa-cert-file w.crt ;personal cert pem > set auth tls rsa-key-file work_priv.pem ;personal key pem > set auth tls verify-dir /usr/local/ca ;CA directory > set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem w/hash > set auth tls verify peer-cert > set login userid <user> > set telopt start-tls required > set auth tls verbose on > set auth tls debug on > set telnet debug on > > TLS TELNET RESULTS > > SSL_handshake:SSLOK SSL negotiation finished successfully > TLS client finished: 27 7C CD CA 0B 7E 7E F8 FB C9 6E 66 > TLS server finished: 3E EC EF 93 1F 2D 8D 09 07 2B 7B A2 > [TLS - OK] > [TLS - EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) > Mac=SHA1 > Compression: run length compression > [TLS - subject=/C=US/ST=∩┐╜detail∩┐╜] > [TLS - issuer=/C=US/O=∩┐╜detail∩┐╜] > TELNET SENT WILL AUTHENTICATION > TELNET SENT WILL NAWS > TELNET SENT WILL TERMINAL-TYPE > TELNET SENT WILL NEW-ENVIRONMENT > TELNET SENT WILL COM-PORT-CONTROL > <wait for outstanding negotiations> > TELNET RCVD DO AUTHENTICATION > TELNET RCVD DO NAWS > TELNET RCVD WILL SUPPRESS-GO-AHEAD > TELNET SENT DO SUPPRESS-GO-AHEAD > TELNET RCVD DO SUPPRESS-GO-AHEAD > TELNET SENT WILL SUPPRESS-GO-AHEAD > TELNET RCVD WILL ECHO > TELNET SENT DO ECHO > TELNET RCVD DO NEW-ENVIRONMENT > TELNET RCVD SB AUTHENTICATION SEND IAC SE > TELNET SENT SB AUTHENTICATION IS NULL NULL IAC SE > Authentication failed: No authentication method available > TELNET SENT WONT AUTHENTICATION > TELNET RCVD DONT TERMINAL-TYPE > TELNET RCVD SB NEW-ENVIRONMENT SEND IAC SE > TELNET RCVD DONT COM-PORT-CONTROL > <no outstanding negotiations>