AFS and tokenforwarding

Simon Wilkinson sxw at
Fri Oct 5 03:58:24 EST 2001

> If the token is forwarded before authentication then you don't know if
> the server is really who you think it is, so you might be forwarding
> your token to an impostor. Ooops.

But, assuming this is a Kerberos token you are discussing, is the
token not protected by being encrypted with the session key, which in
turn is encrypted with the server's host key?

So, an imposter could get something to brute force, but they could get
that via a passive attack anyway.

I would agree however, that forwarding a TGT _before_ the users credentials
have been accepted seems theoretically wrong, however practically safe it
may be.



More information about the openssh-unix-dev mailing list