Red Hat Bugzilla – Bug 167535
Require encryption for ktelnetd
Last modified: 2007-11-30 17:11:13 EST
Description of problem: One of the new features of MIT Kerberos v1.4 is the ability to *require* a kerberos encrypted telnet sessions. Previously this was not possible with ktelnetd. Please enable this by default in the xinetd config file for ktelnetd. To /etc/xinetd.d/krb5-telnet add server_args = -e This will bring the default Fedora config of ktelnetd in sync with kshd.
Thinking about this more, I have a different proposal that extends how klogin is already configured. Today there are two xinetd config files for klogind. /etc/xinet.d/klogin /etc/xinet.d/eklogin (requires encryption with the -e switch) This way you can chkconfig on which ever one you want. A reasonable and sound approach. I propose this same scheme be extended to ktelnetd and kshell. So there exists: /etc/xinet.d/krb5-telnet /etc/xinet.d/ekrb5-telnet (requires encryption) /etc/xinet.d/kshell /etc/xinet.d/ekshell (requires encryption)
That sounds good to me. Adding to 1.4.2-3.
Hrm. I don't think I'm going to get behind changing the "kshell" service from encrypted to unencrypted though. That sounds like a nasty surprise, no matter how well documented it could be.