Re: Telnet and WWW

Philippe-Andre Prindeville (philipp@res.enst.fr)
Sun, 30 Jul 95 23:47:19 +0200


Date: Sun, 30 Jul 95 23:47:19 +0200
From: Philippe-Andre Prindeville <philipp@res.enst.fr>
Message-Id: <9507302347.ZM20232@jones.res.enst.fr>
In-Reply-To: Jonsm@aol.com
To: Jonsm@aol.com, www-html@www10.w3.org, www-html@w3.org
Subject: Re: Telnet and WWW

On Jul 29, 18:30, Jonsm@aol.com wrote:
> I'm working on hooking up Telnet URLs to a telnet package. These URLs can
> contain an embedded user name and password. Can someone explain to me how the
> username/password is passed back to the telnet host? Is this done using the
> telnet authenticate protocol or is it something simpler like automatically
> sending the user/pass as the first two lines of the session or is it
> something else?

I would warn against doing the later...  I haven't followed telnet
authentication developments in a  couple of years, but it seems to
me that there are hooks in telnet for supporting various
authentication and encryption schemes...

Normally, such as with your common or garden variety telnet session,
the username and password are passed in the clear, and the telnet
client is unaware of the fact that "sensitive" infomration is being
passed.  This is a weakness IMHO.

If you just sent the username and password automatically, then
the password might appear (be echoed) if the server end was slow
in turning off echo or simply announced that it wasn't accepting
logins (maybe the user limit was reached or the system was
unavailable while backups were being made, etc).  On a printing
terminal, or in a crowded room with people watching over your
shoulder, this would be A Bad Thing.

You could try using a "chat" script that had "send/expect" strings.

> Is there a newsgroup for asking telnet protocol questions? I couldn't locate
> one.

Must not have looked too hard:  telnet-ietf@timbuk.cray.com

-Philip