AFS and tokenforwarding

Bjoern Groenvall bg at
Fri Oct 5 05:43:29 EST 2001

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:

Nicolas> I was thinking that AFS token passing would be mixed with
Nicolas> Kerberos network authentication. If it's Kerberos V then I'd
Nicolas> expect mutual auth to be used.

Yes, kerberos mutual authentication is used, however it is used the
wrong way. A masquerading server can use the real server as an
oracle. Thus mutual authentication is used, but it does not really
provide any mutual authentication.

Nicolas> Then again, I've ever used SSHv1 with Kerberos -- only SSHv2
Nicolas> with GSS/Kerberos (thanks to Simon Wilkinson's patches) and
Nicolas> SSH w/ GSS *does* require mutual authentication.

Hopefully this is done right in v2, I don't enough about v2 though.

Nicolas> So how will you make AFS token passing in SSHv2?

I don't really now enough about the details of v2 authentication and
session key generation. In theory, it should be possible to pass the
token (encrypted) along with the authentication information in such a
format so that only a legitimate server can unpack the token. If this
matches the v2 model, I simply don't know.


  _     _                                               ,_______________.  
Bjorn Gronvall (Björn Grönvall)                        /_______________/|     
Swedish Institute of Computer Science                  |               ||
PO Box 1263, S-164 29 Kista, Sweden                    | Schroedingers ||
Email: bg at, Phone +46 -8 633 15 25              |      Cat      |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30       `---------------' 

More information about the openssh-unix-dev mailing list