security.txt

C-Kermit源码。是使用串口/Modem和网络通讯的程序

    "SHA"       SHA hash function (should not be used)

  Aliases:
    "ALL"       all ciphers
    "SSLv2"     all SSL version 2.0 ciphers (should not be used)
    "SSLv3"     all SSL version 3.0 ciphers
    "EXP"       all export ciphers (40-bit)
    "EXPORT56"  all export ciphers (56-bit)
    "LOW"       all low strength ciphers (no export)
    "MEDIUM"    all ciphers with 128-bit encryption
    "HIGH"      all ciphers using greater than 128-bit encryption
    "RSA"       all ciphers using RSA key exchange
    "DH"        all ciphers using Diffie-Hellman key exchange
    "EDH"       all ciphers using Ephemeral Diffie-Hellman key exchange
    "ADH"       all ciphers using Anonymous Diffie-Hellman key exchange
    "DSS"       all ciphers using DSS authentication
    "NULL"      all ciphers using no encryption

Each item in the list may include a prefix modifier:

    "+"         move cipher(s) to the current location in the list
    "-"         remove cipher(s) from the list (may be added again by
                a subsequent list entry)
    "!"         kill cipher from the list (it may not be added again
                by a subsequent list entry)

If no modifier is specified the entry is added to the list at the current
position.  "+" may also be used to combine tags to specify entries such as
"RSA+RC4" describes all ciphers that use both RSA and RC4.

For example, all available ciphers not including ADH key exchange:

  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

All algorithms including ADH and export but excluding patented algorithms:

  HIGH:MEDIUM:LOW:EXPORT56:EXP:ADH:!kRSA:!aRSA:!RC4:!RC2:!IDEA

The OpenSSL command

  openssl ciphers -v <list of ciphers>

may be used to list all of the ciphers and the order described by a specific
<list of ciphers>.

SET AUTHENTICATE { SSL, TLS } CRL-DIR <directory>
  Specifies a directory that contains certificate revocation files, where
  each file is named by the hash of the certificate issuer name.

  OpenSSL expects the hash symlinks to be made like this:

    ln -s crl.pem `openssl crl -hash -noout -in crl.pem`.r0

  Since all file systems do not have symlinks you can use the following
  command in Kermit to copy the crl.pem file to the hash file name:

     copy crl.pem {\fcommand(openssl crl -hash -noout -in crl.pem).r0}

  This produces a hash based on the issuer field in the CRL such
  that the issuer field of a Cert may be quickly mapped to the
  correct CRL.

SET AUTHENTICATE { SSL, TLS } CRL-FILE <filename>
  Specifies a file that contains a list of certificate revocations.

SET AUTHENTICATE { SSL, TLS } DEBUG { ON, OFF }
  Tells whether debug information should be displayed about the SSL/TLS
  connection.  When DEBUG is ON, the VERIFY command does not terminate
  connections when set to FAIL-IF-NO-PEER-CERT and a certificate is
  presented that cannot be successfully verified; instead each error is
  displayed but the connection automatically continues.

SET AUTHENTICATE { SSL, TLS } DH-PARAM-FILE <filename>
  Specifies a file containing DH parameters which are used to generate
  temporary DH keys.  If a DH parameter file is not provided Kermit uses a
  fixed set of parameters depending on the negotiated key length.  Kermit
  provides DH parameters for key lengths of 512, 768, 1024, 1536, and 2048
  bits.

SET AUTHENTICATE { SSL, TLS } DSA-CERT-FILE <filename>
  Specifies a file containing a DSA certificate to be sent to the peer to
  authenticate the host or end user.  The file may contain the matching DH
  private key instead of using the DSA-KEY-FILE command.

SET AUTHENTICATE { SSL, TLS } DSA-KEY-FILE <filename>
  Specifies a file containing the private DH key that matches the DSA
  certificate specified with DSA-CERT-FILE.  This command is only necessary
  if the private key is not appended to the certificate in the file
  specified by DSA-CERT-FILE.

Note: When Kermit is running as an IKSD it cannot support encrypted private
keys.  If your private key file is encrypted you can use the following command
to unencrypted (provided you know that pass phrase):

  openssl dsa -in <encrypted-key-file> -out <unencrypted-key-file>

SET AUTHENTICATE { SSL, TLS } RSA-CERT-FILE <filename>
  Specifies a file containing a RSA certificate to be sent to the peer to
  authenticate the host or end user.  The file may contain the matching RSA
  private key instead of using the RSA-KEY-FILE command.

SET AUTHENTICATE { SSL, TLS } RSA-KEY-FILE <filename>
  Specifies a file containing the private RSA key that matches the RSA
  certificate specified with RSA-CERT-FILE.  This command is only necessary
  if the private key is not appended to the certificate in the file
  specified by RSA-CERT-FILE.

Note: When Kermit is running as an IKSD it cannot support encrypted private
keys.  If your private key file is encrypted you can use the following command
to unencrypted (provided you know that pass phrase):

  openssl rsa -in <encrypted-key-file> -out <unencrypted-key-file>

SET AUTHENTICATE { SSL, TLS } VERBOSE { ON, OFF }
  Specifies whether information about the authentication (the certificate
  chain) should be displayed upon making a connection.

SET AUTHENTICATE { SSL, TLS } VERIFY { NO, PEER-CERT, FAIL-IF-NO-PEER-CERT }
  Specifies whether certificates should be requested from the peer; whether
  they should be verified when they are presented; and whether they should
  be required.  When set to NO (the default for IKSD), Kermit does not
  request that the peer send a certificate and if one is presented it is
  ignored.  When set to PEER-CERT (the default when not IKSD), Kermit
  requests a certificate be sent by the peer.  If the certificate is
  presented, it is verified.  Any errors during the verification process
  result in queries to the end user.  When set to FAIL-IF-NO-PEER-CERT,
  Kermit asks the peer to send a certificate.  If the certificate is not
  presented or fails to verify successfully, the connection is terminated
  without querying the user.

  If an anonymous cipher (i.e., ADH) is desired the NO setting must be
  used; otherwise the receipt of the peer certificate request is
  interpreted as a protocol error and the negotiation fails.

  If you wish to allow the peer to authenticate using either an X.509
  certificate to userid mapping function or via use of a ~/.tlslogin file,
  you must use either PEER-CERT or FAIL-IF-NO-PEER-CERT.  Otherwise, any
  certificates that are presented are ignored.  In other words, use NO if
  you want to disable the ability to use certificates to authenticate a
  peer.

SET AUTHENTICATE { SSL, TLS } VERIFY-DIR <directory>
  Specifies a directory that contains root CA certificate files used to
  verify the certificate chains presented by the peer.  Each file is named
  by a hash of the certificate.

  OpenSSL expects the hash symlinks to be made like this:

    ln -s cert.pem `openssl x509 -hash -noout -in cert.pem`.0

  Since all file systems do not have symlinks you can use the following
  command in Kermit to copy the cert.pem file to the hash file name:

     copy cert.pem {\fcommand(openssl x509 -hash -noout -in cert.pem).0}

  This produces a hash based on the subject field in the cert such that the
  certificate may be quickly found.

SET AUTHENTICATE { SSL, TLS } VERIFY-FILE <file>
  Specifies a file that contains root CA certificates to be used for
  verifying certificate chains.


6.3. The AUTHENTICATE Command (Kerberos Only)

The AUTHENTICATE command obtains or destroys Kerberos tickets and lists
information about them.  The general format is:

  AUTHENTICATE { KERBEROS4, KERBEROS5 [ switches ] } <action> [ switches ]

The use of command switches is described in ckermit2.txt, section 1.5.
The actions are INITIALIZE, DESTROY, and LIST-CREDENTIALS:

  AUTH {K4,K5} { INITIALIZE [switches], DESTROY, LIST-CREDENTIALS [switches] }

The INITIALIZE command is the most complex, and its format is different for
Kerberos 4 and Kerberos 5.  For Kerberos 4, the format is:

AUTH K4 INITIALIZE [ /INSTANCE:<name> /LIFETIME:<minutes> -
  /PASSWORD:<password> /PREAUTH /REALM:<name> <principal> ]

All switches are optional.  Kerberos 4 INITIALIZE switches are as follows:

/INSTANCE:<name>
  Allows an Instance to be specified (see Glossary).

/LIFETIME:<number>
  Specifies the requested lifetime in minutes for the ticket.  If no lifetime
  is specified, 600 minutes is used.  If the lifetime is greater than the
  maximum supported by the ticket granting service, the resulting lifetime
  is shortened accordingly.

/NOT-PREAUTH
  Instructs Kermit to send a ticket granting ticket (TGT) request to the KDC
  without any preauthentication data.

/PASSWORD:<string>
  Allows the inclusion of a password in a script file.  If no /PASSWORD switch
  is included, you are prompted on a separate line.  The password switch is
  provided for use by automated scripts.  However, we strongly recommend that
  it not be used because clear text passwords can be easily compromised.

/PREAUTH
  Instructs Kermit to send a preauthenticated ticket granting ticket (TGT)
  request to the KDC instead of a plaintext request.  The default when
  supported by the Kerberos libraries.

/REALM:<name>
  Allows an alternative Realm to be specified (see Glossary).

<principal>
  may be of the form:
  userid[.instance[.instance]]@[realm]
  Can be omitted if it is the same as your username or SET LOGIN USERID
  value on the client system.

The format for Kerberos 5 is as follows:

AUTH K5 [ /CACHE:<filename> ] { INITIALIZE ..., DESTROY, LIST-CREDENTIALS ...}

The INITIALIZE command for Kerberos 5 can include a number of switches;
all are optional:

AUTH K5 [ /CACHE:<filename> ] INITITIALIZE [ /ADDRESSES:<addr-list>
  /FORWARDABLE /KERBEROS4 /LIFETIME:<minutes> /PASSWORD:<password>
  /POSTDATE:<date-time> /PROXIABLE /REALM:<name> /RENEW /RENEWABLE:<minutes>
  /SERVICE:<name> /VALIDATE <principal> ]

Kerberos 5 INITIALIZE switches are:

/ADDRESSES:{list of ip-addresses}
  Specifies a list of IP addresses that should be placed in the Ticket
  Granting Ticket in addition to the local machine addresses.

/FORWARDABLE
  Requests forwardable tickets.

/KERBEROS4
  Instructs Kermit to get Kerberos 4 tickets in addition to Kerberos 5
  tickets.  If Kerberos 5 tickets are not supported by the server, a mild
  warning is printed and Kerberos 4 tickets are requested.

/LIFETIME:<number>
  Specifies the requested lifetime in minutes for the ticket.  If no
  lifetime is specified, 600 minutes is used.  If the lifetime is greater
  than the maximum supported by the ticket granting service, the resulting
  lifetime is shortened.

/NO-KERBEROS4
  Instructs Kermit to not attempt to retrieve Kerberos 4 credentials.

/NOT-FORWARDABLE
  Requests non-forwardable tickets.

/NOT-PROXIABLE
  Requests non-proxiable tickets.

/PASSWORD:<string>
  Allows the inclusion of a password in a script.  If no password is
  specified you are prompted for one.  The password switch is provided for
  use by automated scripts.  However, we strongly recommend that it not be
  used because clear-text passwords can be easily compromised.  See Chapter
  19 of "Using C-Kermit".

/POSTDATE:<date-time>
  Requests a postdated ticket, valid starting at <date-time>.  Postdated
  tickets are issued with the invalid flag set, and need to be fed back to
  the KDC before use with the /VALIDATE switch.  See ckermit2.txt section
  1.6 for acceptable date-time formats.

/PROXIABLE
  Requests proxiable tickets.

/REALM:<string>
  Allows an alternative realm to be specified.

/RENEW
  Requests renewal of a renewable Ticket Granting Ticket.  Note that
  an expired ticket cannot be renewed even if it is within its renewable
  lifetime.

/RENEWABLE:<number>
  Requests renewable tickets, with a total lifetime of <number> minutes.

/SERVICE:<string>
  Allows a service other than the ticket granting service to be specified.

/VALIDATE
  Requests that the Ticket Granting Ticket in the cache (with the invalid
  flag set) be passed to the KDC for validation.  If the ticket is within
  its requested time range, the cache is replaced with the validated
  ticket.

<principal>
  May be of the form:
    userid[/instance][@realm]
  Can be omitted if it is the same principal as stored in the current ticket
  cache at the time Kermit started; or the current username if a ticket
  cache did not exist.

Note: Kerberos 5 always attempts to retrieve a Ticket Granting Ticket (TGT)
using the preauthenticated TGT request.

AUTHORIZE K5 LIST-CREDENTIALS [ /ADDRESSES /ENCRYPTION /FLAGS ]
  Shows start time, expiration time, service or principal name, plus
  the following additional information depending the switches:

/ADDRESSES
  Displays the hostnames and/or IP addresses embedded within the
  tickets.

/ENCRYPTION dis