AFS and tokenforwarding

Nicolas Williams Nicolas.Williams at ubsw.com
Fri Oct 5 05:23:59 EST 2001


I was thinking that AFS token passing would be mixed with Kerberos
network authentication. If it's Kerberos V then I'd expect mutual auth
to be used.

Then again, I've ever used SSHv1 with Kerberos -- only SSHv2 with
GSS/Kerberos (thanks to Simon Wilkinson's patches) and SSH w/ GSS *does*
require mutual authentication.

So how will you make AFS token passing in SSHv2?

I think you'll need to store .ssh dirs not in home directories, but
somewhere that allows world readability. With Secure NFS this problem
goes away since any client with root/fqdn at REALM principals gets read
access as "nobody" so that, if ~/.ssh and ~/.ssh/authorized_keys* are
world-readable, then sshd can read them before installing the user's
creds (alternatively, it can install them early, then remove them if
authorization fails).

Nico


On Thu, Oct 04, 2001 at 09:15:23PM +0200, Bjoern Groenvall wrote:
> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at ubsw.com> writes:
> 
> Nicolas> If the token is forwarded before authentication then you
> Nicolas> don't know if the server is really who you think it is, so
> Nicolas> you might be forwarding your token to an impostor. Ooops.
> 
> I don't think any of the ssh (at least v1) authentication mechanisms
> really authenticate the server. A masquerading server can always
> forward the authentication information to the real server and use that
> response as a legitimate reply. Thus you may still be passing
> credentials down to an impostor. Either way you do it, you can always
> be fooled. A similar problem exists with the common "pass passwords in
> the clear" methods used by ssh. Hopefully this is fixed in v2 but I
> never really bothered to check.
> 
> /Björn
> 
> -- 
>   _     _                                               ,_______________.  
> Bjorn Gronvall (Björn Grönvall)                        /_______________/|     
> Swedish Institute of Computer Science                  |               ||
> PO Box 1263, S-164 29 Kista, Sweden                    | Schroedingers ||
> Email: bg at sics.se, Phone +46 -8 633 15 25              |      Cat      |/
> Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30       `---------------' 
--
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.




More information about the openssh-unix-dev mailing list