Security, Single Sign On and Terminal Emulation

A look at secure (and not so secure) terminal emulation and a review of Single Sign-on Support in Turbosoft's range of Windows terminal emulators.

Communications Protocols

As users of Terminal emulation there are a number of communications protocols that we can use to communicate with our host systems. Two of the most significant protocols are Telnet and SSH, both of which provide remote access to host and mainframe systems. Of these two, Telnet is the older protocol and one which has largely been superseded by SSH. The driving force for the move away from Telnet is the fact that it is entirely insecure in the way it transmits data between the client and the host. This means anyone with a packet sniffer could conceivably intercept communications and read data being sent across a network including login and password details in plain text. While this lack of security might seem incredible we need to remember Telnet originated many, many years ago in an era where we weren't quite so conscious about data security.

For some users a move to SSH based communications is not possible. One such situation where Telnet is still in use such as when communicating with an IBM host or mainframe systems. Terminal emulators connecting to IBM hosts often do so over the TN3270 or TN5250 protocols, both of which are Telnet (TN) based and able to send and receive 3270 and 5250 data streams. To ensure secure communications these connections are usually paired with Secure Sockets Layer (SSL) encryption.

Single Sign On

In addition to securing data transmission through encryption organizations may use Single Sign On (SSO) to control access and authenticate users on their network. There are many varied single sign on schemes and protocols but they share common goals in controlling user access across a collection of systems or applications with a single login or even a login process which occurs transparently and in the background from the user point of view. They offer access control and security as well as the ability to make life simpler for the end user and reduce the support burden associated with common issues like lost or forgotten passwords.

Kerberos is a well known SSO protocol which controls access to a network through issuing 'tickets' to users. A central server called the KDC or Key Distribution Center handles client requests, checking and issuing tickets which grant access to network services and locations. Kerberos is used by Microsoft in it's Windows Active Directory technology, so many users are likely being unaware that Kerberos technology is already running on their system. Kerberos is also widely supported on Unix like systems.

For software to be compatible with Kerberos it must be able to perform request and check tickets issued by the KDC. Kerberos is supported in our Windows terminal emulator TTWin and is available on request.

Certificate Express Logon (CEL), or, as it was previously known, Express Logon Facility (ELF) is an IBM created Single Sign On Protocol designed for IBM hosts and users of 3270 terminal emulation. CEL stores unique certificates for each user. When a user attempts to login to an IBM host or mainframe these certificates are then sent to a CEL server which acts an an intermediary and replaces them with username and password credentials when connecting to the host the user is seeking access to. From an end user point of view this makes the entire login process transparent. CEL is supported in TTWin 4.

Turbosoft terminal emulation software is also compatible with Citrix Single Sign On (formerly Citrix Password Manager). Citrix Single Sign On is a Windows based product which allows users to authentic once and be automatically logged into to other network hosts and services. TTWin4 is a compatible with Citrix Password Manager.