home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Columbia Kermit
/
kermit.zip
/
newsgroups
/
misc.20021006-20030409
/
000371_curtis.steward@goodrich.com_Mon Mar 10 14:06:49 EST 2003.msg
< prev
next >
Wrap
Text File
|
2020-01-01
|
5KB
|
162 lines
Article: 14168 of comp.protocols.kermit.misc
Path: newsmaster.cc.columbia.edu!panix!bloom-beacon.mit.edu!newsfeed.stanford.edu!postnews1.google.com!not-for-mail
From: curtis.steward@goodrich.com (Curtis Steward)
Newsgroups: comp.protocols.kermit.misc
Subject: Re: TLS HowTo Telnet/FTP
Date: 10 Mar 2003 10:38:24 -0800
Organization: http://groups.google.com/
Lines: 143
Message-ID: <f53f8c5c.0303101038.198c3d24@posting.google.com>
References: <f53f8c5c.0303041213.45f6bbe7@posting.google.com> <b4329a$300$1@watsol.cc.columbia.edu> <f53f8c5c.0303051052.327e975c@posting.google.com> <3E66D40A.1050402@nyc.rr.com> <f53f8c5c.0303060740.514c6150@posting.google.com> <3E67E435.1010706@nyc.rr.com>
NNTP-Posting-Host: 207.180.255.121
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1047321504 7507 127.0.0.1 (10 Mar 2003 18:38:24 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: 10 Mar 2003 18:38:24 GMT
Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14168
"Jeffrey Altman [Road Runner NYC]" <jaltman2@nyc.rr.com> wrote in message news:<3E67E435.1010706@nyc.rr.com>...
> The proper command is
>
> IKS <host>
>
> or
>
> SET HOST /CONNECT <host> kermit
>
> You are not negotiating a TLS-TELNET connection.
Frank/Jeff,
That did it, got confused on the start-tls of iksd.conf vs.
tls-telnet! Thanks a lot, works well.
Is the doc meaning the "PUSH" compile-time option won't enable shell
access, is there any other alternative?
5.4. Shell Access
�
This is true even if the executable was built without the NOPUSH
compile-time option.
I know "Ctrl-\! Works for the client shell, but the server side would
be nice.
Thanks again for all the help.
cs
HOWTO
This HowTo is nonfunctional at the time of this writing. It attempts
to create a basic "loopback test" via an OpenSSL certificate.
Localhost is client & server: Redhat 8.0
Kermit Client: Kermit 8.0.208
Kermit Server: Kermit 8.0.208 (IKSD)
Certificates: RSA based, length 2048 (openssl genrsa)
TLS STEP-BY-STEP
download <tarball>
mkdir kermit
cd kermit
tar �xvzf ../<tarball>
make redhat80
cp �p wermit /usr/local/bin/kermit
cp �p wermit /usr/sbin/iksd
Place certs/keys, don't have password on servers' host cert.
chown �R <user>:<user group~<user>/.tlslogin
cp �p $WS_NAME.crt ~<user>/.tlslogin
ls /usr/local/ca/cacert.crt
/etc/init.d/xinetd.d stop
/etc/init.d/xinetd.d start
netstat �an | grep 1649
tcp 0 0 0.0.0.0:1649 0.0.0.0:* LISTEN
kermit
show features
�
Major optional features included:
Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
�
iks /user:anonymous /pass:user@host kermit.columbia.edu #basic test
set host www.amazon.com https /ssl #should get [TLS-OK]
set host /connect <host> 1649
/ETC/XINETD.D/KERMIT
# default: on
# server_args = -A --syslog:6 --database:off
service kermit
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/iksd
server_args = -A
disable = no
}
/ETC/IKSD.CONF
;log debug /root/iksd.debug.\v(pid).log
set auth tls rsa-cert-file /root/.tlslogin/c.crt
set auth tls rsa-key-file /root/.tlslogin/c.unp
set auth tls verify-dir /usr/local/ca
set auth tls verify-file /usr/local/ca/cacert.pem
set telopt /server start-tls required
set telopt /server auth refused
set telopt /server encrypt refused refused
set telopt /server new-environment required
set auth tls cipher-list ALL:+RSA
set auth tls verify peer-cert
KERMIT CLIENT STARTUP
#!/usr/local/bin/kermit +
set auth tls rsa-cert-file w.crt ;personal cert pem
set auth tls rsa-key-file work_priv.pem ;personal key pem
set auth tls verify-dir /usr/local/ca ;CA directory
set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem
w/hash?
set auth tls verify peer-cert
set login userid <userid>
set telopt start-tls required
>
> > C-Kermit>set host /connect <host> 1649 /tls-telnet
> > DNS Lookup... Trying 149.223.210.203... (OK)
> > SSL_DEBUG_FLAG on
> > SSL/TLS init done!
> > Loading RSA certificate into SSL
> > Enter certificate passphrase:
> > [TLS - handshake starting]
> > SSL_handshake:UNKWN before/connect initialization
> > SSL_connect:UNKWN before/connect initialization
> > SSL_connect:3WCH_A SSLv3 write client hello A
> > SSL_write_alert
> > SSL_connect:error in 3RSH_A SSLv3 read server hello A
> > [TLS - SSL_connect error: error:1408F10B:SSL
> > routines:SSL3_GET_RECORD:wrong version number
> > [TLS - FAILED]
> > TELNET SENT DO LOGOUT
> > Can't open connection to <host>:1649
> >