AFS and tokenforwarding
Dug Song
dugsong at monkey.org
Fri Oct 5 07:00:44 EST 2001
On Thu, Oct 04, 2001 at 09:49:42PM +0200, Bjoern Groenvall wrote:
> You can use the real server to increment the challenge for you. The
> kerberos session key is only used for this. The kerberos session key
> should really really be used to change the ssh session key so that the
> tunnel between client and masquerading server breaks.
yes, there's been argument over this before as well, and whether to
just GSSify all of SSH anyhow, since there's so much overlap. :-/
hrr, an easy interim solution would be to encrypt the SSH session key
(or an HMAC of the challenge with the key) with the Kerberos session
key however nasty this is...
-d.
---
http://www.monkey.org/~dugsong/
More information about the openssh-unix-dev
mailing list