stelnet: Secure TELNET

This is a secure telnet/telnetd from Simon J. Gerraty <sjg@crufty.net>. The code base is a later version of the telnet used for 4.4BSD.

Ancient History

The U.S. version already supported TELOPT_AUTHENTICATION and TELOPT_ENCRYPTION but all traces of the encryption code have been removed in the internationally available version.

INSTALLATION

Unless you are running BSD, you will need bmake and you will also need the libsslfd from SSLrsh. See install for details, but if you just do:
$ mkdir -p /usr/local/src/sjg
$ cd /usr/local/src/sjg
$ gzcat /tmp/bmake.tar.gz | tar xvf -
$ gzcat /tmp/SSLrsh.tar.gz | tar xvf -
$ gzcat /tmp/stelnet.tar.gz | tar xvf -
Everything will be in the right place and once you've built bmake you can just:
$ cd /usr/local/src/sjg
$ bmake obj
$ bmake depend
$ bmake
$ su
# bmake install
Note that stelnet will look up the name that it was invoked with in /etc/services, and if that succeeds, use the port obtained, otherwise it looks up telnet/tcp and if all else fails it uses port 23. The upshot of all this is that you have the option of adding something like:
stelnet		423/tcp
to /etc/services and running stelnet as well as normal telnet. This is handy at some sites that have rules against replacing system binaries with ones that work :-)

My configs tool would normally add the above to /etc/services and one of:

stelnet stream  tcp nowait  root /usr/local/libexec/netacl stelnet
stelnet stream  tcp nowait  root /usr/local/libexec/stelnetd stelnetd -kfz certsok
to /etc/inetd.conf depending on whether the TIS fwtk's netacl is installed.

The args shown above, tell stelnetd to pass -f to login(1) if the user has been authenticated and to use /etc/ssl.users to check the client's certificate (if provided) against for authentication.

If your login(1) does not support -f, you can use the one that comes with stelnet though you will need to make your inetd.conf entry:

stelnet stream  tcp nowait  root /usr/local/libexec/stelnetd /usr/local/libexec/stelnetd -kfz certsok
or use a -p /usr/local/libexec/login arg so that stelnetd can find it. It is known to do [wu]tmp entries correctly on SunOS, Solaris, HP-UX (9 but not 10). Fortunately most of the systems where the utmp magic is broken (Linux, HP-UX 10) have a login that supports -f.

SSL

The SSL support these days comes from OpenSSL.

My original encryption code was pretty ugly, using the RSA implementation lifted from PGP. Thank heavens for Eric Young's SSLeay package which contains a libcrypto that includes every decent cipher I've ever heard of, I'v now greatly cleaned up stelnet to use libcrypto.

Further I've re-worked Tim Hudson's SSLtelnet patches to SSLeay via my libsslfd wrapper library (included in SSLrsh.tar.gz. This keeps the telnet code much cleaner, and ensures consistent behaviour between SSLr* and stelnet. For instance I avoid reading the SSL_CERT until it is actually needed. Note that this will only work with SSLeay-0.6.4 and later.

More info about SSLeay can be found in the SSLeay FAQ

HPW

My HPW option is cool. It is a simple TELOPT_AUTHENTICATION option which uses UNIX crypt'ed passwords as a shared secret between client and server to help establish a secure session key. The client pompts the user for their passwd, and crypts it (using salt obtained from server), some toing and froing verifies to both ends that the other has the same crypted password - and so the server assumes that the user knew the password. Authentication which is no weaker than typing in the password at a normal login: prompt has taken place without the password being transmitted.

The drag is that it still has some carry over from the before SSL days, so uses a TELOPT_PKE option to turn on encryption. If using unofficial telnet options gives you the creeps, by all means turn it off - just comment out the -DAUTH_HPW -DPKE_ENCRYPTION from stelnet/Makefile.inc. They are off by default.

login

stelnetd will by default, looks for a program called login in the same directory as itself, if found it will be used in place of the system's login(1). I provide a login(1) replacement that not only supports -f (so stelnetd can tell login that the user is already authenticated) but also supports s/key challenge/response authentication.

In addition, stelnetd can be given a -p path_login to tell it which login(1) to use. This is handy if you want to use login-ts from TIS fwtk to query the authsvr for user authentication.

Because the [wu]tmp magic varies wildly between *nix and even versions of same, this login will not always do the right thing on a new system. It is built by default on SunOS, Solaris and HP-UX (not HP-UX 10 though) where both works and is needed.

If you need to build it on a nother system just

$ cd stelnet/libexec/login
$ bmake obj
$ bmake
# bmake install
The utmp magic is all in doutmp.c and you can:
$ bmake doutmp.test
$ obj/doutmp.test host user
do help test whether it will do the right thing.

Sadly, this is an area where the documentation on most commercial *nix systems is lacking and/or inaccurate. So it can take a lot of effort to port to a new system.


$Id: stelnet.html,v 1.7 2002/11/27 06:11:51 sjg Exp $
Copyright © 1997-2001 CRUFTY.NET