AFS and tokenforwarding

Bjoern Groenvall bg at sics.se
Fri Oct 5 05:49:42 EST 2001


>>>>> "Dug" == Dug Song <dugsong at monkey.org> writes:

>> The user should not forward a TGT before the server has been
>> authenticated. With ssh v1 this is however not possible, regardless
>> if this is done before or after user authentication the server is
>> still not properly authenticated.

Dug> ?

Dug> SSH-1 krb4 support requires the server to return the incremented
Dug> challenge successfully encrypted with the session key.

You can use the real server to increment the challenge for you. The
kerberos session key is only used for this. The kerberos session key
should really really be used to change the ssh session key so that the
tunnel between client and masquerading server breaks.

Cheers,
Björn

-- 
  _     _                                               ,_______________.  
Bjorn Gronvall (Björn Grönvall)                        /_______________/|     
Swedish Institute of Computer Science                  |               ||
PO Box 1263, S-164 29 Kista, Sweden                    | Schroedingers ||
Email: bg at sics.se, Phone +46 -8 633 15 25              |      Cat      |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30       `---------------' 



More information about the openssh-unix-dev mailing list