20-755: The Internet

Recitation 2: Kerberos client and Nifty telnet installation.

Introduction

Since many students were asking for more detailed instructions of how to download and install the Nifty telnet, this session is devoted to this process.

The motivation to use Nifty Telnet instead of the default Windows telnet client is that the default client does not provide any form of security and it does not have good support for the terminal emulation required to run text editors like emacs or vi.  If you desire, you can still use the default telnet client, but beware of the fact that your password is sent in clear across the network and can be snooped by an eavesdropper.

Telnet Security

When you telnet from one machine (like your laptop) to another (Euro), the information is sent across the network. It is possible for other machines on the same piece of network to watch the traffic as it is exchanged between two machines.

If encryption is not negotiated in the telnet protocol, the traffic is not encrypted and it can be quite easy for other machines on the same network to eavesdrop on the communication and record such things as passwords and other sensitive data. The person doing the eavesdropping might later use this information to:

• impersonate you,
• destroy data on your machine(s),
• plant backdoors on your machine to allow future access,
• start running programs on your machine to promiscously listen on the network for more passwords, and
• generally just play havoc.

This eavesdropping is not a theoretical attack. It is something that has happened multiple times. If you send your password across the network without some sort of encryption, your password will be compromised. If you routinely send your password across the network without encryption, your machines could already be compromised.

NiftyTelnet is a freeware telnet client for PC that supports Kerberos V4 Authentication, Authentication passing, and Encryption (if the Kerberos Manager 'KClient' is installed).

KClient is a separate program that provides the libraries and utilities needed to use Kerberos-based PC applications, like Nifty Telnet.

The advantages of Nifty Telnet are:

• Better security through Kerberos authentication and encryption.
• Complete VT102 emulation (with the exception of remote printing codes), very important when using editors like emacs.
• Support for unrestricted window resizing (will automatically notify modern telnet servers of the new size).

Caveats: Since the Euro server does not belong to the Andrew domain, you will have to type your password two or three times at login time.  This is explained below.

Installation process

1. Open the following Software distribution page at http://andrew2.andrew.cmu.edu/dist (this opens a new window).
2. Download PC KClient (Win32 Kerberos client software) and save it in your local disk.
3. Download PC NiftyTelnet (Win32 Kerberos telnet software) and save it in your local disk.
4. Execute the installer for the kerberos client (kclient32.exe) from your local disk and follow the instructions of the install program.
5. Execute the installer for Nifty Telnet (niftytelnet.exe) from your local disk and follow the instructions of the install program.

You are all set!

Login process

Execute Nifty telnet, and then in the "File" menu choose the "Open connection..." option.  In the message box, Enter the computer name of the host you want to connect to.

1. The kerberos client will ask for your Andrew user id and password.  This information is used to encrypt the session between your laptop computer and the server.   You will be asked for this password only the first time you establish a telnet session to the server.  The kerberos client keeps track of the necessary information until you turn-off your laptop computer or close the kerberos client program.

   

2. The server (Euro) will ask for your user id and password.  Here you have to type your Euro user id and password.  This grants you access to the server.  If you were logging in to an Andrew server, the server wouldn't ask for your password since Nifty telnet would automatically do the authentication process for you.

   login: <your login id, same as your Andrew id>
Password: <your euro password>

3. At this point you are logged in to the server.  If you want to have access to your AFS files, you have to go through an extra process to authenticate yourself to the AFS server.  If you don't need to access your AFS files, skip this step. If you were logging in to an Andrew server, you wouln't have to go through this extra step, because again the telnet client would have done it for you automatically.  To obtain access to your AFS files type the following command at the shell prompt:

   shell-prompt$ klog -c andrew.cmu.edu
   password: <type in your andrew password>

Exercise

After installing the kclient and nifty telnet programs, do the following:

1. Login to Euro using the default telnet client.
   What message (warning) do you get at the login prompt ?
2. Login to Euro using Nifty Telnet
3. Login to unix.andrew.cmu.edu using Nifty Telnet.
   Is the process the same in 2 and 3 ?  Why?