AFS and tokenforwarding
Bjoern Groenvall
bg at sics.se
Fri Oct 5 05:15:23 EST 2001
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at ubsw.com> writes:
Nicolas> If the token is forwarded before authentication then you
Nicolas> don't know if the server is really who you think it is, so
Nicolas> you might be forwarding your token to an impostor. Ooops.
I don't think any of the ssh (at least v1) authentication mechanisms
really authenticate the server. A masquerading server can always
forward the authentication information to the real server and use that
response as a legitimate reply. Thus you may still be passing
credentials down to an impostor. Either way you do it, you can always
be fooled. A similar problem exists with the common "pass passwords in
the clear" methods used by ssh. Hopefully this is fixed in v2 but I
never really bothered to check.
/Björn
--
_ _ ,_______________.
Bjorn Gronvall (Björn Grönvall) /_______________/|
Swedish Institute of Computer Science | ||
PO Box 1263, S-164 29 Kista, Sweden | Schroedingers ||
Email: bg at sics.se, Phone +46 -8 633 15 25 | Cat |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30 `---------------'
More information about the openssh-unix-dev
mailing list