AFS and tokenforwarding

Dug Song dugsong at
Fri Oct 5 07:00:44 EST 2001

On Thu, Oct 04, 2001 at 09:49:42PM +0200, Bjoern Groenvall wrote:

> You can use the real server to increment the challenge for you. The
> kerberos session key is only used for this. The kerberos session key
> should really really be used to change the ssh session key so that the
> tunnel between client and masquerading server breaks.

yes, there's been argument over this before as well, and whether to
just GSSify all of SSH anyhow, since there's so much overlap. :-/

hrr, an easy interim solution would be to encrypt the SSH session key
(or an HMAC of the challenge with the key) with the Kerberos session
key however nasty this is...



More information about the openssh-unix-dev mailing list