PATCH: Kerberos password authentication w/o KDC verification

R. Lindsay Todd toddr at rpi.edu
Sat Dec 15 07:27:31 EST 2001 

Folks: We use an old AFS cell with Kerberos 4.  Our use of Kerberos 4 is 
fairly limited; we have never needed to  implement rcmd host principals 
for most of our systems.  Indeed, given that Kerberos 4 strips off the 
domain name portion of a hostname when determining the rcmd instance, we 
would not be able to do this, since we do have duplicate hostnames in 
multiple subdomains.

For AFS password authentication, OpenSSH first does Kerberos password 
authentication.  It then attempts to get a ticket for the server's rcmd 
service, in order to verify that the KDC is not being spoofed.  Of 
course, this fails if you do not have an rcmd service key.

For most of RPI's systems, those running Linux, Solaris, or AIX, this is 
not a problem.  OpenSSH uses PAM on Linux and Solaris, and AIX 
"authenticate" on AIX.  These external systems do not verify the KDC; if 
you submit a correct Kerberos/AFS password, it will grant you tickets. 
 You do not need an rcmd key.  However, our SGI Irix systems actually 
use the built-in auth-kerb4 authentication.  Since we do not have rcmd 
keys, password authentication fails.

I am sure that verifying the KDC is a good thing to do... But in our 
case, it causes difficulties.  Verifying the KDC is not consistently 
enforced, anyway.  So the attached patch provides a way to turn it off. 
 I have implemented a server configuration option, KerberosVerifyServer, 
that defaults to "yes".  If it is true, then the KDC is verified, as 
currently happens.  If it set to "no", then the behaviour I need, of not 
verifying the KDC, is provided.

 From our point of view, it would be a nice thing if this became a 
standard feature of OpenSSH.

-- 
R. Lindsay Todd                          email: toddr at rpi.edu
Senior Systems Programmer                phone: 518-276-2605
Rensselaer Polytechnic Institute         fax:   518-276-2809
Troy, NY 12180-3590                      WWW:   http://www.rpi.edu/~toddr

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-kerberos-verify-server.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20011214/6403445d/attachment.ksh

More information about the openssh-unix-dev mailing list