Dave Walton wrote:
>
> If you really want to work on an encrypted telnet, check out The
> Stanford SRP Authentication Project (http://srp.stanford.edu/srp/).
> I'd love to see SRP integrated into the FreeBSD telnet/telnetd.
Again, the problem is that there is administrative overhead - a separate
password database is required. It is certainly _also_ a candidate to be
included (they can all live side by side), but it does not replace the
need that SRA fills.
SPK requires a separate database because the server needs to know what
the password actually is, not just that the one that was typed is
correct. Unix passwords are not suitable because you can't turn
hamburger back into steak by running the grinder backwards. :-)
When both sides of a conversation have a shared secret, you can assure
mutual authentication in a way that is not possible with straight
Diffie-Hellman. But Unix passwords can't be considered a shared secret
because the server doesn't actually know what the password is. It merely
knows when an attempt is correct.
A workaround for this is to supply the password salt to the client early
in an authentication protocol, then treat the encrypted password as
a shared secret. That works, except that more and more unixes are
starting
to use non-portable crypt() procedures. The client has to have the same
crypt() as the server in order for the authentication to succeed.
Users with $x salts would not be able to log in from non-FreeBSD
machines
unless our crypt() was compiled into their telnet.
S/MIME Cryptographic Signature
