security.txt

C-Kermit源码。是使用串口/Modem和网络通讯的程序

  ftp://ftp.runestig.com/pub/starttls/inetutils-1.3.2-tls.tar.gz

This telnetd supports verification of certificate chains for both client and
server including support for certificate revocation lists.


6. AUTHENTICATION AND ENCRYPTION COMMANDS

Kermit has a full repertoire of commands for selecting and controlling
security.  Bear in mind that these are targeted primarily at the network
or site manager and not at the "ordinary" user.  In a typical application,
a university that has a site license for Kermit 95 creates a customized
installation CD for its user community that contains all the appropriate
security (and other) setups, so end users get secure connections without
doing anything special or even knowning that they have them.

In all Kermit commands:

  KERBEROS4 can be abbreviated KRB4 or K4
  KERBEROS5 can be abbreviated KRB5 or K5

Some of Kermit's Kerberos-related commands are rather complex, but remember
that you don't have to memorize them, or any other Kermit commands.  Use "?"
at any point to feel your way through the command, or type HELP for the
desired command to see a brief explanation.

The CHECK KERBEROS command tells whether your version of Kermit has been built
to include the Kerberos support even if it cannot function on your system.

The CHECK NTLM command tells whether your version of Kermit has been built
to include the NTLM support even if it cannot function on your system.

The CHECK SRP command tells whether your version of Kermit has been built
to include the SRP support even if it cannot function on your system.

The CHECK SSL/TLS command tells whether your version of Kermit has been built
to include the SSL/TLS support even if it cannot function on your system.

IF AVAILABLE KERBEROS4 (or KRB4, or K4) tells whether Kerberos 4 is actually
available in your version of Kermit (e.g. if the Kerberos 4 DLLs are installed
on your Windows 95 PC).

IF AVAILABLE KERBEROS5 (KRB5, K5) tells whether Kerberos 5 is available in
your version of Kermit.

IF AVAILABLE NTLM tells whether NT Lan Manager protocol is available in your
version of Kermit.

IF AVAILABLE SRP tells whether Secure Remote Password protocol is available
in your version of Kermit.

IF AVAILABLE { SSL, TLS } tells whether SSL/TLS protocol is available in your
version of Kermit.


6.1. TELNET-Related Security Commands

SET TELOPT [{ /CLIENT, /SERVER }] AUTHENTICATION
        { ACCEPTED, REFUSED, REQUESTED, REQUIRED }
  ACCEPT or REFUSE authentication bids, or actively REQUEST authentication.
  REQUIRED refuses and closes the connection if authentication is not
  successfully negotiated when either making or accepting connections.
  ACCEPTED by default.

SET TELNET AUTHENTICATION TYPE { AUTOMATIC, KERBEROS4, KERBEROS5, NTLM, SRP,
                                 SSL, NONE }
  AUTOMATIC allows the host to choose the preferred type of authentication.
  Other values allow a specific authentication method to be specified.
  AUTOMATIC is the default.  The list of options varies depending on the
  authentication types selected at compilation time.  When combined with SET
  TELOPT AUTH REQUIRED, a specific authentication method can be required.

SET TELNET AUTHENTICATION FORWARDING { ON, OFF }
  When Kermit is the client, set this to ON to forward forwardable Kerberos V
  Ticket Granting Tickets to the host after authentication is complete, so you
  can make additional authenticated connections from there.  When Kermit is
  the server, set this to ON to accept forwardable Kerberos V TGTs from the
  client.  OFF by default.

SET TELNET AUTHENTICATION HOW-FLAG { ANY, MUTUAL, ONE-WAY }
  Specifies which values for the HOW-FLAG should be accepted as a client
  or offered as a server.  The default is ANY.

SET TELNET AUTHENTICATION ENCRYPT-FLAG { ANY, NONE, TELOPT }
  Specifies which values for the ENCRYPT-FLAG should be accepted as a client
  or offered as a server.  The default is ANY.

SET TELOPT [{ /CLIENT, /SERVER }] ENCRYPTION
        { ACCEPTED, REFUSED, REQUESTED, REQUIRED }
        { ACCEPTED, REFUSED, REQUESTED, REQUIRED }
  The first parameter specifies the Kermit to peer state.  The second
  parameter specifies the peer to Kermit state.  The default is ACCEPTED
  ACCEPTED.

SET TELNET ENCRYPTION TYPE { AUTOMATIC, CAST128_CFB64, CAST128_OFB64,
  CAST5_40_CFB64, CAST5_40_OFB64, DES_CFB64, DES_OFB64,
  DES3_CFB64, DES3_OFB64, NONE }
  AUTOMATIC allows the host to choose the preferred type of encryption.
  Other values allow a specific encryption method to be specified.
  AUTOMATIC is the default.  The list of options varies depending
  on the encryption types selected at compilation time.  An encryption
  method can only be used if there is enough key data available.
  Kerberos can use only DES encryption because it provides a shared
  secret only 56 bits in length.

SET TELOPT [{ /CLIENT, /SERVER }] START_TLS
        { ACCEPTED, REFUSED, REQUESTED, REQUIRED }
  ACCEPT or REFUSE a request to negotiate TLS, or actively REQUEST
  that TLS be negotiated.  REQUIRED refuses and closes the connection if
  the peer refuses to negotiate TLS or the TLS negotiations end in failure.
  ACCEPTED by default when a client.  REQUESTED by default when a server.

SET TELNET ENVIRONMENT USER <name>
SET LOGIN USERID <name>
  If a <name> is given, it sent to host during Telnet negotiations; if this
  switch is given but the string is omitted, no user ID is sent to the host.
  If this command is not given, your current USERID value, \v(userid), is
  sent.  When a userid is sent to the host it is a request to login as the
  specified user.

SET LOGIN PASSWORD <password>
  If a <password> is given, it is treated as the password to be used (if
  required) by any Telnet Authentication protocol (Kerberos Ticket retrieval,
  Secure Remote Password (SRP), or X.509 certificate private key decryption.)
  If no password is specified a prompt is issued to request the password if
  one is required for the negotiated authentication method.

SET TELNET DEBUG ON
  Displays all TELNET negotiations in full detail.

TELNET /AUTH:<type> /ENCRYPT:<type> /USERID:[<name>] /PASSWORD:[<string>]
       <host> <port>
  The TELNET command is a shortcut for making interactive connections.
  It is the equivalent of specifying:

    SET TELOPT AUTH ...
    SET TELNET AUTH TYPE ...
    SET TELOPT ENCRYPT ...
    SET TELNET ENCRYPT TYPE ...
    SET LOGIN USERID ...
    SET LOGIN PASSWORD ...
    SET HOST /CONNECT <host> <port> /TELNET

  /AUTH:<type> is equivalent to SET TELNET AUTH TYPE <type> and
  SET TELOPT AUTH REQUIRED with the following exceptions.  If the type
  is AUTO, then SET TELOPT AUTH REQUESTED is executed and if the type
  is NONE, then SET TELOPT AUTH REFUSED is executed.

  /ENCRYPT:<type> is equivalent to SET TELNET ENCRYPT TYPE <type>
  and SET TELOPT ENCRYPT REQUIRED REQUIRED with the following exceptions.
  If the type is AUTO then SET TELOPT AUTH REQUESTED REQUESTED is executed
  and if the type is NONE then SET TELOPT ENCRYPT REFUSED REFUSED is
  executed.

  /USERID:[<name>]
  This switch is equivalent to SET LOGIN USERID <name> or SET TELNET
  ENVIRONMENT USER <name>.  If a string is given, it sent to host during
  Telnet negotiations; if this switch is given but the string is omitted, no
  user ID is sent to the host.  If this switch is not given, your current
  USERID value, \v(userid), is sent.  When a userid is sent to the host
  it is a request to login as the specified user.

  /PASSWORD:[<string>]
  This switch is equivalent to SET LOGIN PASSWORD.  If a string is given,
  it is treated as the password to be used (if required) by any Telnet
  Authentication protocol (Kerberos Ticket retrieval, Secure Remote
  Password, or X.509 certificate private key decryption.)  If no password
  switch is specified a prompt is issued to request the password if one
  is required for the negotiated authentication method.

SHOW TELNET
  Displays current TELNET settings, including authentication and
  encryption.

6.2. The SET AUTHENTICATION Command

The SET AUTHENTICATION command lets you configure the behavior of Kermit's
authentication methods and set defaults for the AUTHENTICATE commands so you
don't always have to include all the switches if you give more than one
AUTHENTICATE command in one Kermit session:

If you always use the same setup, you can put the appropropriate SET
AUTHENTICATION commands in your Kermit customization file: k95custom.ini
(Windows) or .mykermrc (UNIX).

6.2.1 Kerberos Set Commands

SET AUTHENTICATION { KERBEROS4, KERBEROS5 } AUTODESTROY
  { ON-CLOSE, ON-EXIT, NEVER }
  When ON, Kermit destroys all credentials in the default
  credentials cache upon Kermit termination.  Default is NEVER.

SET AUTHENTICATION { KERBEROS4, KERBEROS5 } AUTOGET { ON, OFF }
  When ON, if the host offers Kerberos 4 or Kerberos 5 authentication and
  Kermit is configured to use that authentication method and there is no
  TGT, Kermit automatically attempts to retrieve one by prompting for the
  password (and principal if needed.)  Default is ON.

SET AUTHENTICATION KERBEROS5 CREDENTIALS-CACHE <filename>
  Specifies an alternative credentials cache.  This is useful when you need
  to maintain two or more sets of credentials for different realms or
  roles.  The default is specified by the environment variable KRB5CCNAME
  or as reported by the Kerberos 5 library.

SET AUTHENTICATION KERBEROS5 FORWARDABLE { ON, OFF }
  ON specifies that Kerberos 5 credentials should be forwardable to the
  host.  If SET TELNET AUTHENTICATION FORWARDING is ON, forwardable
  credentials are sent to the host.  Default is OFF.

SET AUTHENTICATION KERBEROS5 GET-K4-TGT { ON, OFF }
  ON specifies that Kerberos 4 credentials should be requested each
  time Kerberos 5 credentials are requested with AUTH KERBEROS5 INIT.
  The default is OFF.

SET AUTHENTICATION KERBEROS4 INSTANCE <instance>
  Allows a Kerberos 4 instance to be specified as a default (if needed).

SET AUTHENTICATION { KERBEROS4, KERBEROS5 } LIFETIME <minutes>
  Specifies the lifetime of the TGTs requested from the KDC.  The default
  is 600 minutes (10 hours).

SET AUTHENTICATION KERBEROS4 PREAUTH { ON, OFF }
  Allows Kerberos 4 preauthenticated TGT requests to be turned off.  The
  default is ON.  Only use if absolutely necessary.  We recommend that
  preauthenticated requests be required for all tickets returned by a KDC
  to a requestor.

SET AUTHENTICATION { KERBEROS4, KERBEROS5 } PRINCIPAL <name>
  When Kermit starts, it attempts to set the principal name to that stored
  in the current credentials cache.  If no credential cache exists, the
  current SET LOGIN USERID value is used.  SET LOGIN USERID is set to the
  operating systems current username when Kermit is started.  To force
  Kermit to prompt the user for the principal name when requesting TGTs,
  place

    SET AUTH K4 PRINCIPAL {}
    SET AUTH K5 PRINCIPAL {}

  in the Kermit initialization file or connection script.

SET AUTHENTICATION { KERBEROS4, KERBEROS5 } PROMPT PASSWORD <prompt>
  Specifies a custom prompt to be used when prompting for a password.  The
  Kerberos prompt strings may contain two "%s" replacement fields.  The
  first %s is replaced by the principal name; the second by the realm.

SET AUTHENTICATION { KERBEROS4, KERBEROS5 } PROMPT PRINCIPAL <prompt>
  Specifies a custom prompt to be used when prompting for the Kerberos
  principal name.  No %s replacement fields may be included.  Kermit
  prompts for a principal name when retrieving a TGT if the command:

    SET AUTHENTICATION { KERBEROS4, KERBEROS5 } PRINCIPAL {}

  has been issued.

SET AUTHENTICATION KERBEROS5 PROXIABLE { ON, OFF }
  When ON, specifies that Kerberos 5 credentials should be proxiable.
  The default is OFF.

SET AUTHENTICATION KERBEROS5 RENEWABLE <minutes>
  When <minutes> is greater than the ticket lifetime a TGT may be
  renewed with AUTH K5 INIT /RENEW instead of granting a new ticket
  as long as the ticket is not expired and it's within the renewable
  lifetime.  Default is 0 (zero) minutes.

SET AUTHENTICATION { KERBEROS4, KERBEROS5 } REALM <name>
  If no default is set, the default realm configured for the Kerberos
  libraries is used.  Abbreviations are accepted.

SET AUTHENTICATION { KERBEROS4, KERBEROS5 } SERVICE-NAME <name>
  This command specifies the service ticket name used to authenticate
  to the host when Kermit is used as a client; or the service ticket
  name accepted by Kermit when it is acting as the host.
  If no default is set, the default service name for Kerberos 4 is
  "rcmd" and for Kerberos 5 is "host".

6.2.2 SRP Set Commands

SET AUTHENTICATE SRP PROMPT PASSWORD <text>
  Specifies a custom prompt to be used when prompting for a password.
  <prompt> may contain a single instance of "%s" which is replaced
  by the user's login name.

6.2.3 SSL and TLS (OpenSSL) Set Commands

In all of the following commands "SSL" and "TLS" are aliases.

SET AUTHENTICATE { SSL, TLS } CIPHER-LIST <list of ciphers>
  This command applies to both SSL and TLS.  A colon-separated list of any
  of the following (case-sensitive) options is accepted, depending on the
  options chosen when OpenSSL was compiled (without the doublequotes):

  Key Exchange Algorithms:
    "kRSA"      RSA key exchange
    "kDHr"      Diffie-Hellman key exchange (key from RSA cert)
    "kDHd"      Diffie-Hellman key exchange (key from DSA cert)
    "kEDH'      Ephemeral Diffie-Hellman key exchange (temporary key)

  Authentication Algorithm:
    "aNULL"     No authentication
    "aRSA"      RSA authentication
    "aDSS"      DSS authentication
    "aDH"       Diffie-Hellman authentication

  Cipher Encoding Algorithm:
    "eNULL"     No encodiing
    "DES"       DES encoding
    "3DES"      Triple DES encoding
    "RC4"       RC4 encoding
    "RC2"       RC2 encoding
    "IDEA"      IDEA encoding

  MAC Digest Algorithm:
    "MD5"       MD5 hash function
    "SHA1"      SHA1 hash function