Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Booker Bense bbense at SLAC.Stanford.EDU
Fri May 16 05:19:09 EST 2003

On Fri, 16 May 2003, Damien Miller wrote:

> Booker Bense wrote:
> >> The changes to the server to support kerberos-2 at are about 30
> >> lines of new code in two files.
> >
> > - In my experience, that pretty much means they've got it wrong
> > somewhere. Using the api correctly generally requires much more
> > code than this. I will take a look today and try and provide
> > useful comments.
> It is only 30 lines of new code as it is near-identical to the protocol
> 1 KrbV auth method. i.e. we got to reuse our existing infrastructure.

- There are two problems with both implementations.

1. They don't use krb5_init_secure_context on the server side.

2. The don't check the mutual authentication packet that
   is returned from the server. Also, I would much rather
   see the server drop the connection if the client does
   not request mutual authentication.

- The first is probably just nitpicking since it's not clear to
me whether that code runs in a setuid executable or not[1]. But
the second IMHO is fatally flawed. You could argue that it's not
neccessary given that the host is already authenticated via the
TSL layer, but it's flaw that can be exploited. IMHO, checking
the mutual authentication is a requirement when you also
implement tgt forwarding.

- Booker C. Bense

[1]- If it does there is a potential security hole.

More information about the openssh-unix-dev mailing list