Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Simon Wilkinson sxw at inf.ed.ac.uk
Fri May 16 17:57:55 EST 2003


On Fri, 16 May 2003, Damien Miller wrote:
> Simon Wilkinson wrote:
> Could you summarise these arguments here?

The key problems with the ssh.com kerberos-2 support are:
*) It doesn't perform mutual authentication
*) It passes a TGT without authenticating the server
*) It allows the use of a TGT _as a means of authentication_

IIRC these problems also existed in the original ssh-1 code, but were
fixed in other trees before you adopted Dan Kouril's patches via FreeBSD.
The only means of fixing them is to change the underlying protocol.

Its harder in protocol v2, due to the way in which the ssh.com support
is implemented in userauth. Passing a kerberos TGT _without_
authenticating the server, in the manner of the kerberos-tgt exchange,
really isn't acceptable.

> If people dislike kerberos-2 at ssh.com support, they are free to disable it.

The problem is that you are providing Kerberos support based on a flawed,
and possibly broken, protocol. People that don't read this mailing list
won't be aware of that, and so won't know that they really should disable
it unless they know what they're doing.

Cheers,

Simon.




More information about the openssh-unix-dev mailing list