On Tue, Feb 13, 2001 at 08:15:02AM -0500, Tim Sailer wrote:
On Tue, Feb 13, 2001 at 01:44:24PM +0100, Balazs Scheidler wrote:
telnet is under consideration. It was not a primary objective, since there's not too much you can do with the telnet protocol (except for option negotiation and environment variable filtering), a simple plug would suffice. Telnet is inherently insecure, it shouldn't be used in security conscious environments, a proxy wouldn't change this.
We are looking for authenticated sessions, where there is no other choice. We have a LOT of legacy systems (PDPs and Vaxes) that can only talk the legacy protocols.
Yes, that's why we are considering telnet.
SSH is also planned. Personally I have already implemented a working SSH2 proxy (in the LSH project), but Zorp will probably use an independent implementation.
OK. I'd be interested is seeing this.
ok.
ALso, what about authentication? We use T.Rex right now since it uses Radius as one of it's authentication methods, and that gives us One Time Passwords with our Radius/CryptoCard server.
We have our own authentication system, currently supporting S/Key and CryptoCard (ANSI X9.9). We partly removed it from 0.7.x, because we are redesigning some parts.
That's a problem with a lot of things that use CryptoCard. Everyone supports it in their own way. We have a full enterprise rolled out with cryptocards, and for us to have to maintain 2 separate sets of account info would be hard. We use Radius backended by the cryptoadmin server, and that gives us a common OTP for all our services, including logging in to hosts, since there is a pam_radius_auth module.
Our system isn't necessarily closed. It can use a radius server as a backend.
We're also looking for Telnet and FTP proxies that are Kerberos5 aware. I'm pretty sure we'll have to roll our own on that one.
What do you mean on that? Authenticate your users for going through the firewall?
Yes. And, if they have a valid ticket already, let them pass through without any more authentication.
We'll think about it. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1