IMPORTANT NOTE!

All versions of SRA prior to 1.3.1 had the telnetd side of the -froot" bug.
The SRA-1.3.1 versions have this bug fixed. Currently only the source
version has been patched. The binary versions should appear this weekend.

LINUX Note:

This version of SRA has not yet been updated for the FSSTND file
layouts, so it still expects sralogin or login in /etc.


SRA - Secure RPC Authentication for TELNET and FTP Version 1.3

This package provides drop in replacements for telnet and ftp client
and server programs, which use Secure RPC code to provide encrypted
authentication across the network, so that plaintext passwords are not
used.  The clients and servers negotiate the availability of SRA so
that they work with unmodified versions.  These programs require no
external keyserver or ticket server, and work equally well for local or
internet wide connections.

Full sources, as well a binaries for sparc Solaris 1.x and 2.x and linux
are available. The code is based on BSD net-2 code, and should be portable
to other platforms.  This package was presented at the Fourth USENIX
Security Conference; a postscript version of that paper is available
in net.tamu.edu:pub/security/TAMU/sra.ps.  

VERSIONS:
The package announced at USENIX was version 0.9.  Version 1.0 fixed
some bugs and added the Solaris 2.x compatibility. Version 1.1 fixed yet
more bugs, and added the linux port. Version 1.2 fixed a bug with
standard telnet into a solaris2 telnetd, with ftpd allowing
non-standard user shells, and added some installation hints.
Version 1.3 fixed SunOS's braindamaged getpass(), that was restricting
passwords to eight or less characters.
LATE NEWS: the sra sources have been split into two parts -- the main
freely distributable portion, and a small des library that is available
only to US sites. There main part contains a des stub library which
can be used to roll your own version, and there is also a cookbook
for using the des library from lth.se.

INSTALLING THE BINARY VERSION:

1. get the appropriate tar file:
	net.tamu.edu:pub/security/TAMU/srabin-1.1-sparc-solaris1.tar.gz
   or
	net.tamu.edu:pub/security/TAMU/srabin-1.1-sparc-solaris2.tar.gz
   or
	net.tamu.edu:pub/security/TAMU/srabin-1.1-i386-linux.tar.gz

2. extract the binaries in a scratch directory, for example
   /usr/local/sra:
	mkdir /usr/local/sra
	cd /usr/local/sra
	gzip -cd srabin-1.0-sparc-solaris1.tar.gz|tar xvf -

3. Install the binaries over the existing ones:

	cp telnet ftp /usr/bin
	chmod 755 /usr/bin/telnet /usr/bin/ftp
	cp telnetd /usr/etc/in.telnetd
	chmod 755 /usr/etc/in.telnetd
	cp ftpd /usr/etc/in.ftpd
	chmod 755 /usr/etc/in.ftpd
	cp login /etc/sralogin
	chown root /etc/sralogin
	chmod 4755 /etc/sralogin

   (NOTE1: for solaris 2.x, the daemons go in /usr/sbin rather than /usr/etc)
   (NOTE2: there may be bsd versions of telnet and ftp in /usr/ucb, so
           either delete them, or make sure /usr/bin is earlier in your path)
   (NOTE3: the sra login *must* be installed as /etc/sralogin. Do not
	   overwrite your standard login.  For linux, there is no new login
	   provided, as it is not needed.)
   (NOTE4: on Solaris 2.x, root access to incoming ftp may be
	   prevented by the omission of its shell (/sbin/sh) from
	   /etc/shells. Similarly, incoming root access to telnet is
	   controlled by the /etc/default/login "CONSOLE" line.)
   (NOTE5: telnetd doesn't like the "standard" tcp wrapper inetd.conf
           invocation line which typically looks something like: 
	   ".... /usr/local/bin/tcpd /usr/etc/in.telnetd in.telnetd"
	   The simple fix is to omit the final "in.telnetd" on the line.

INSTALLING THE SOURCE VERSION:

1. get the source distribution:
	net.tamu.edu:pub/security/TAMU/srasrc-1.3.tar.gz
	net.tamu.edu:pub/security/TAMU/srasrc-des-1.3.tar.gz
   or see the READ_ME in the main source's SRA/lib/libdes
   for instructions for getting a des version for non-US sites.

2. extract the sources in any desired location:
	gzip -cd srasrc-1.3.tar.gz|tar xf -
	gzip -cd srasrc-des-1.3.tar.gz|tar xf -
   This will create an SRA subdirectory.

3. The top level Makefile has some lines defined for Solaris1,
   Solaris2, and linux. Make sure the appropriate set is uncommented.

3a. IMPORTANT NOTE: the telnet sources depend on using the /usr/ucblib
   version of libtermcap.a, NOT sun's /usr/ccs/lib version. This means
   that the bsd compatibility package needs to be installed, and that
   LD_LIBRARY_PATH needs to include /usr/ucblib. (For csh, do:
	setenv LD_LIBRARY_PATH /lib:/usr/lib:/usr/ucblib )

4. make >& make.log &
   This will create the four or five binaries in the bin directory.
   Then follow step 3 of the binary installation.


USING SRA TELNET and FTP:

The SRA telnet and ftp clients are invoked in exactly the same way
as the original bsd versions.  They attempt to negotiate the SRA
authentication protocol with the remote server.  If either side
noes not support SRA, the authentication reverts to the standard
user/password prompts.  If both sides support SRA, a statement to
that effect is printed, and local user/password prompts are
given to effect the authentication.  If the SRA authentication
fails, telnet reverts to the standard login protocol, while ftp
reverts to the command mode, (not logged in), from which traditional
USER commands can be issued.

For example: 

    (TELNET, successful SRA login)
	host# telnet host
	Trying 128.194.177.5...
	Connected to host.tamu.edu.
	Escape character is '^]'.
	Trying SRA secure login:
	User (user): 
	Password: 
	[ SRA accepts you ]
	Last login: Fri Oct 22 14:08:51 from host.tamu.ed
	Warning: no Kerberos tickets issued.
	Copyright (c) 1980,1983,1986,1988,1990,1991 The Regents of the 
	University of California.  All rights reserved.
	SunOS Release 4.1.3 (GENERIC) #3: Mon Jul 27 16:43:54 PDT 1992
	host# 

    (TELNET, unsuccessful SRA login)
	host# telnet host
	Trying 128.194.177.5...
	Connected to host.tamu.edu.
	Escape character is '^]'.
	Trying SRA secure login:
	User (user): 
	Password: 
	[ SRA refuses authentication ]
	Trying plaintext login:
	Password:
	Last login: Fri Oct 22 14:23:14 from host.tamu.ed
	SunOS Release 4.1.3 (GENERIC) #3: Mon Jul 27 16:43:54 PDT 1992
	host# 

    (FTP, successful SRA login)
	host# ftp host
	Connected to host.tamu.edu.
	220 host FTP server (Version 5.60) ready.
	Name (host:user): 
	334 AUTH SRA OK.
	331 Password required.
	Password:
	230 User logged in.
	Remote system type is UNIX.
	Using binary mode to transfer files.
	ftp> 

    (FTP, unsuccessful SRA login)
	host# ftp host
	Connected to host.tamu.edu.
	220 host FTP server (Version 5.60) ready.
	Name (host:user): 
	334 AUTH SRA OK.
	331 Password required.
	Password:
	530 Login incorrect.
	Login failed.
	ftp> 

Questions/comments to:
	dave.safford@net.tamu.edu