[zorp] zorp vs. TIS

Tim Sailer sailer@bnl.gov
Tue, 13 Feb 2001 08:15:02 -0500

On Tue, Feb 13, 2001 at 01:44:24PM +0100, Balazs Scheidler wrote:
> telnet is under consideration. It was not a primary objective, since there's
> not too much you can do with the telnet protocol (except for option
> negotiation and environment variable filtering), a simple plug would
> suffice. Telnet is inherently insecure, it shouldn't be used in security
> conscious environments, a proxy wouldn't change this.

We are looking for authenticated sessions, where there is no other 
choice. We have a LOT of legacy systems (PDPs and Vaxes) that can only
talk the legacy protocols.

> SSH is also planned. Personally I have already implemented a working SSH2
> proxy (in the LSH project), but Zorp will probably use an independent
> implementation.

OK. I'd be interested is seeing this.

> > ALso, what about authentication? We use T.Rex right now since it uses
> > Radius as one of it's authentication methods, and that gives us One Time 
> > Passwords with our Radius/CryptoCard server.
> We have our own authentication system, currently supporting S/Key and
> CryptoCard (ANSI X9.9). We partly removed it from 0.7.x, because we
> are redesigning some parts.

That's a problem with a lot of things that use CryptoCard. Everyone
supports it in their own way. We have a full enterprise rolled out
with cryptocards, and for us to have to maintain 2 separate sets of
account info would be hard. We use Radius backended by the cryptoadmin
server, and that gives us a common OTP for all our services, including
logging in to hosts, since there is a pam_radius_auth module.

> > We're also looking for Telnet and FTP proxies that are Kerberos5 aware.
> > I'm pretty sure we'll have to roll our own on that one.
> What do you mean on that? Authenticate your users for going through
> the firewall?

Yes. And, if they have a valid ticket already, let them pass through without
any more authentication.


Tim Sailer <sailer@bnl.gov> Cyber Security Operations
Brookhaven National Laboratory  (631) 344-3001