AFS and tokenforwarding

Bjoern Groenvall bg at
Fri Oct 5 05:15:23 EST 2001

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:

Nicolas> If the token is forwarded before authentication then you
Nicolas> don't know if the server is really who you think it is, so
Nicolas> you might be forwarding your token to an impostor. Ooops.

I don't think any of the ssh (at least v1) authentication mechanisms
really authenticate the server. A masquerading server can always
forward the authentication information to the real server and use that
response as a legitimate reply. Thus you may still be passing
credentials down to an impostor. Either way you do it, you can always
be fooled. A similar problem exists with the common "pass passwords in
the clear" methods used by ssh. Hopefully this is fixed in v2 but I
never really bothered to check.


  _     _                                               ,_______________.  
Bjorn Gronvall (Björn Grönvall)                        /_______________/|     
Swedish Institute of Computer Science                  |               ||
PO Box 1263, S-164 29 Kista, Sweden                    | Schroedingers ||
Email: bg at, Phone +46 -8 633 15 25              |      Cat      |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30       `---------------' 

More information about the openssh-unix-dev mailing list