Re: encrypting telnet

[Rick Watson <rick@akbar.cc.utexas.edu>]

Chuck,

Since I've also worked on encrypted access to administrative systems,
I'll summarize what I know. 

You should also take a look at:
http://ccmc17.cc.ncsu.edu/sma/sma.html
for other Mac Kerberos implementations.

The University of Texas developed auth/encrypt Macintosh client
software for NCSA/Telnet and Brown University's tn3270.  Kerberos V4
and Diffie-Hellman are supported. The "old" separate auth/encrypt
options (37 and 38) were used. We developed the method for using
Diffie-Hellman to generate secret keys to encrypt the login
information and/or the session. It is similar to, but not the
same as Texas A&M's SRA.

The Mac client auth/encrypt code is in separate "plugin" modules
so that other auth/encrypt methods can be added without changing
the base Telnet or Tn3270 code.

John Gilmore at Cygnus Support, gnu@cygnus.com, is working on a K5
plugin. 

The plugin support is in NCSA/Telnet release 2.6.1 and beyond. I
don't know if Peter has ever released this in tn3270. I'm working
on the public release of the plugin code.

We (UT) worked with Open Connect to support K4 and Diffie-Hellman
auth/encrypt in their server that runs under various Unix systems
which front end an IBM 3174. This (commercial) software should
be available shortly in their next release.

We've also worked with OC on their DynaCom Window's client. Diffie-Hellman
is supported; I'm not sure about Kerberos.

I think Jeff Harrington, jeff@mitvma.mit.edu, has worked on 
another IBM tn3270 server implementation.

On the TODO list:
 - Work with TAMU/SRA to make Diffie-Hellman methods compatible
    and work with IETF to propose a draft.
 - Find out status of IETF "new" auth-encrypt option. 
 - Find out status of IETF TN3270 encryption options.

Rick Watson 
The University of Texas Computation Center, Networking Services, 512/475-9220
 r.watson@utexas.edu

> From owner-telnet-ietf@mojo.ots.utexas.edu Mon Apr  3 15:46:31 1995
> Received: by mojo.ots.utexas.edu id AA11987
>   (5.65+/IDA-1.3.5); Mon, 3 Apr 95 15:33:29 -0500
> Received: from timbuk.cray.com by mojo.ots.utexas.edu with SMTP id AA11979
>   (5.65+/IDA-1.3.5 for /usr/lib/sendmail -odq -oi -fowner-telnet-ietf telnet-ietf-list); Mon, 3 Apr 95 15:33:27 -0500
> Received: from sdiv.cray.com (ironwood.cray.com [128.162.21.36]) by timbuk.cray.com (8.6.9/CRI-fence-1.4) with SMTP id PAA21998; Mon, 3 Apr 1995 15:32:23 -0500
> Received: by sdiv.cray.com (5.0/CRI-5.15.b.orgabbr Sdiv)
> 	id AA17922; Mon, 3 Apr 1995 15:27:12 -0500
> Received: from timbuk.cray.com by sdiv.cray.com (5.0/CRI-5.15.b.orgabbr Sdiv)
> 	id AA17915; Mon, 3 Apr 1995 15:27:10 -0500
> Received: from heidelberg.rutgers.edu (heidelberg.rutgers.edu [128.6.26.25]) by timbuk.cray.com (8.6.9/CRI-fence-1.4) with ESMTP id PAA21079 for <telnet-ietf@cray.com>; Mon, 3 Apr 1995 15:27:01 -0500
> Received: (from hedrick@localhost) by heidelberg.rutgers.edu (8.6.10+bestmx+oldruq+newsunq/8.6.10) id QAA14597 for telnet-ietf@cray.com; Mon, 3 Apr 1995 16:27:04 -0400
> Date: Mon, 3 Apr 1995 16:27:04 -0400
> From: Chuck Hedrick <hedrick@heidelberg.rutgers.edu>
> Message-Id: <199504032027.QAA14597@heidelberg.rutgers.edu>
> To: telnet-ietf@cray.com
> Subject: encrypting telnet
> Content-Length: 330
> Status: R
> 
> Is there any summary of available telnet implementations that
> encrypt?  We're looking at encrypting connections to our
> administrative systems.  For this we'd need at least clients
> under Microsoft Windows and Unix, and the host side under Unix,
> but it would be preferable to have a host end also under IBM MVS,
> and tn3270 support.
> 
>