security.txt

C-Kermit源码。是使用串口/Modem和网络通讯的程序

Each line specifies either a domain name prefaced with a '.' or a host name
and the Kerberos IV realm to which it belongs.

The Leash Kerberos IV implementation does not contain support for server
side functionality.  Therefore, K95 cannot authenticate incoming connections
with Kerberos IV.  It also does not include support for pre-authenticated
ticket granting ticket requests.

3.1.1.2. Notes on the Kerberos V configuration file

Kerberos V uses a single configuration file, KRB5.CONF (or KRB5.INI on
Windows).  This file must be customized for the domains, realms, and hosts
used in your network environment.  For example:

[libdefaults]
        default_realm = CC.COLUMBIA.EDU
        default_tkt_enctypes = des-cbc-crc
        default_tgs_enctypes = des-cbc-crc
        ticket_lifetime = 600
        dns_fallback = true

[domain_realm]
        .cc.columbia.edu = CC.COLUMBIA.EDU
        cc.columbia.edu = CC.COLUMBIA.EDU
        .columbia.edu = CC.COLUMBIA.EDU
        columbia.edu = CC.COLUMBIA.EDU

[realms]
        CC.COLUMBIA.EDU = {
                kdc = kerberos.columbia.edu:88
                admin_server = kerberos.columbia.edu:749
                default_domain = cc.columbia.edu
                supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
                supported_keytypes = des:normal des-cbc-crc:v4
        }

3.1.2. Secure Remote Password protocol in Kermit 95

Beginning with version 1.1.16, Kermit 95 supports Telnet Authentication via
Secure Remote Password protocol without any additional software.

In addition, if the appropriate encryption patch (obtained from the Kermit
Project) is installed, two-way encryption is also negotiated and used if
authentication was negotiated.  The encryption patch is available WITH EXPORT
RESTRICTIONS at:

  http://www.kermit-project.org/noexport.html

Kermit 95 contains support for authenticating incoming connections using SRP.
Unfortunately, there are no Windows based tools for creating the SRP password
file.  However, once a password and config file are created on Unix they can
be copied to Windows.  Use the SRP_ETC or ETC environment variables to specify
where the "tpasswd" and "tpasswd.conf" files are stored.

3.1.3. NT LAN Manager Authentication in Kermit 95

NTLM authentication is a feature of Windows 95/98, NT, and Windows 2000.  It
is used to authenticate Windows clients to Windows services.  Telnet Auth
NTLM is implemented in the Microsoft Telnet Daemon that ships with NT
Services for Unix and with Windows 2000.

Windows 95/98 only contains support for the client whereas NT contains
support for both client and server.  Kermit 95 can authenticate incoming
connections with NTLM when it is executing on NT.

3.1.4. OpenSSL support for SSLv3 and TLSv1 in Kermit 95

OpenSSL security is available in Kermit 95 1.1.18 and later.  OpenSSL sources
may be retrieved from the web site http://www.openssl.org/.  As of this
writing the current release of OpenSSL is 0.9.4 and 0.9.5 is under
development.  Kermit 95 works with the binaries produced by compiling either
0.9.4 or 0.9.5.  Patches to enable OpenSSL to be compiled for OS/2 are
located at:

  http://www.geocities.com/SiliconValley/Hills/8057/files/openssl.html

On Windows, OpenSSL must be compiled and linked to use the NT DLL option
without Debug information.  Compiling the DLLs with support for debugging
links the DLLs to an incompatible C Run Time Library DLL.

On OS/2, OpenSSL must be compiled to use the DLL version of the run time
library.

For proper operation of OpenSSL and Kermit 95, the OpenSSL DLLs must be
available in the PATH.  In addition, the OPENSSL_CONF environment variable
should also be defined appropriately.

OpenSSL does not define default locations for certificates and revocation
lists therefore the appropriate SET AUTH { SSL, TLS } commands must be
specified in the K95CUSTOM.INI (or IKSD.KSC) file in order for certificate
verification to be performed.

Due to patent licensing restrictions on RSA and IDEA algorithms within the
United States, any binaries that the Kermit Project might distribute to
provide SSL/TLS support for Kermit 95 do not contain RSA key exchange;
RSA authentication; or RC2, RC4, and IDEA ciphers.

If you wish to provide support for authentication of clients using public
key certificates you must provide a custom X509_to_user() function to
provide the certificate to local userid mapping.  An example function which
uses the /UID field of the Certificate Subject name follows:

  int
  X509_to_user(X509 *peer_cert, char *userid, int len)
  {
      int err;

      if (!(peer_cert && userid) || len <= 0)
          return -1;

      /* userid is in cert subject /UID */
      err = X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
                                       NID_uniqueIdentifier, userid, len);
      if (err > 0)
          return 0;
      return -1;
  }

This function must be compiled into a DLL called "X5092UID.DLL".  It should
be linked to the OpenSSL libraries and the DLL version of the run time
library.


3.2. Authentication and Encryption in C-Kermit 7.0

C-Kermit 7.0 may be compiled with support Kerberos 4, Kerberos 5, Secure
Remote Password, and OpenSSL's SSLv3 and TLSv1.

3.2.1. Kerberos in C-Kermit 7.0

This section is current as of C-Kermit 7.0.196 Beta.11.

Kerberos IV and Kerberos V support is available for Unix versions of C-Kermit
7.0.  Kerberos support in C-Kermit is provided for both outgoing and incoming
connections (SET HOST /SERVER * <port> /TELNET or the Internet Kermit
Service).

Kerberized C-Kermit binaries are not available due to export restrictions (see
Section 2); you must build your own binary from a combination of Columbia
source code and Kerberos libraries from other sources.

 1a. Retrieve a Kerberos 5 1.1 source code kit from the appropriate site:

       http://web.mit.edu/kerberos/www/ or
       http://web.mit.edu/network/kerberos-form.html

 1b. Choose a Kerberos 4 installation (from MIT) and retrieve a source code
     kit from the appropriate site:

       http://web.mit.edu/kerberos/www/ or
       http://web.mit.edu/network/kerberos-form.html

 2. Obtain the C-Kermit Authentication and Encryption support modules from
    Columbia University.  These are not available by FTP due to export
    restrictions.  Contact kermit-support@columbia.edu for details.

 3. Build and install Kerberos on your system according to the instructions
    that come with the Kerberos distribution you have chosen.

 4. Add a new entry to the C-Kermit makefile for your platform, that adds the
    following CFLAGS:

      -DCK_AUTHENTICATION -DCK_KERBEROS

    For Kerberos 4 include:

      -DKRB4

    For Kerberos 5 include:

      -DKRB5

    For Kerberos 4 compatibility mode with Kerberos 5:

      -DKRB5 -DKRB524 -DKRB4

    If you have the source file ck_crp.c and desire DES encryption include:

      -DCK_ENCRYPTION -DCK_DES

    Use "krbmit" as the target for builds with ck_crp.c and "krbmit-export"
    for builds without ck_crp.c.

    Add the path to the Kerberos header files using the -I switch.  The
    location of these files are host specific.  For example:

      -I/usr/kerberos/include

    Add the path to the Kerberos libraries using the -L switch.  The
    location of these files are host specific.  For example:

      -L/usr/kerberos/lib

    Add the appropriate libraries.  For Kerberos 4 include:

      -lkrb

    For Kerberos 5 include:

      -lkrb5 -lcom_err -lcrypto

    For Kerberos 4 compatibility mode with Kerberos 5 include:

      -ldes425 -lkrb5 -lcom_err -lcrypto

    Make sure the new entry points to the appropriate include files, and links
    with the appropriate libraries.  Use the "linux+krb5", "linux+krb5+krb4",
    and "sunos41gcc+krb4" makefile entries as models.

Note that the select() version of the CONNECT-command module (ckucns.c) must
be used rather than the older fork() based (ckucon.c) version.

Keep the Kerberos support modules private, and put the C-Kermit binary where
it can be used, but not where it can be accessed by anonymous ftp or by anyone
who is outside the USA or Canada.

When C-Kermit 7.0 is built with Kerberos support and installed as an Internet
Kermit Service Daemon (IKSD), Kerberos is offered for authenticating incoming
connections.  To authenticate incoming connections there must be a valid
keytab file providing local access to the key necessary for decrypting
meesages encoded in the server's key.

3.2.2. Secure Remote Password protocol in C-Kermit

This section is current as of C-Kermit 7.0.196 Beta.11.

Secure Remote Password (SRP) support is available for Unix versions of
C-Kermit 7.0.  SRP support in C-Kermit is provided for both outgoing and
incoming connections (SET HOST /SERVER * <port> /TELNET or the Internet Kermit
Service).

SRP C-Kermit binaries are not available due to export restrictions (see
Section 2); you must build your own binary from a combination of Columbia
source code and SRP libraries from other sources.

 1. Retrieve the SRP 1.5.0 source code kit from:

      http://srp.stanford.edu/srp/

 2. Obtain the C-Kermit Authentication and Encryption support modules from
    Columbia University.  These are not available by FTP due to export
    restrictions.  Contact kermit-support@columbia.edu for details.

 3. Build SRP with the GMP math library.  Be sure to read the installation
    instructions before installing because SRP replaces many standard Unix
    system files and failure to follow the procedures may leave you locked
    out of your system.

 4. Add a new entry to the C-Kermit makefile for your platform, that adds
    the following CFLAGS:

      -DCK_AUTHENTICATION -DCK_SRP

    If you have the source file ck_crp.c include:

      -DCK_ENCRYPTION

    For CAST encryption (requires ck_crp.c) add:

      -DCK_CAST

    If using the Eric A. Young DES encryption library (available separately
    and as a part of the OpenSSL project <http://www.openssl.org>)
    (requires ck_crp.c) add:

      -DCK_DES -DLIBDES

    Use "srpmit" as the target for builds with ck_crp.c and "srpmit-export"
    for builds without ck_crp.c.

    Add the path to the SRP header files using the -I switch.  The
    location of these files are host specific.  For example:

      -I/usr/srp/include

    Add the path to the SRP libraries using the -L switch.  The
    location of these files are host specific.  For example:

      -L/usr/srp/lib

    Add the appropriate libraries.  (Include des only if you have the
    Eric A. Young library):

      -lsrp -lgmp -ldes

    Make sure the new entry points to the appropriate include files, and
    links with the appropriate libraries.  Use the "linux+srp" and
    "linux+krb5+krb4+srp" makefile entries as models.

Note that the select() version of the CONNECT-command module (ckucns.c) must
be used rather than the older fork() based (ckucon.c) version.

Keep the SRP support modules private, and put the C-Kermit binary where
it can be used, but not where it can be accessed by anonymous ftp or by anyone
who is outside the USA or Canada.

When C-Kermit 7.0 is installed as an Internet Kermit Service (IKSD), SRP
is offered for authenticating incoming connections.

3.2.3   OpenSSL support for SSLv3 and TLSv1 in C-Kermit 7.0.

This section is current as of C-Kermit 7.0.196 Beta.11.

OpenSSL support is available for Unix versions of C-Kermit 7.0.  SSLv3 and
TLSv1 support in C-Kermit is provided for both outgoing and incoming
connections (SET HOST /SERVER * <port> /TELNET or the Internet Kermit Service).

OpenSSL C-Kermit binaries are not available due to export restrictions (see
Section 2); you must build your own binary from a combination of Columbia
source code and the OpenSSL libraries from other sources.

 1. Retrieve the OpenSSL 0.9.4 source code kit from:

      http://www.openssl.org/