Openssh + AFS

[Simon Wilkinson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 28 May 2008, at 17:19, Douglas E. Engert wrote:
>>
>> I would like to propose an initial credential exchange phase. The  
>> client
>> might send ticket, x509-creds, afs-tokens or whatever. This should  
>> not
>> authenticate the user, but help in authentcation with other methods.
>> If activation of these credentials allows access to the AFS home dir,
>> standard ssh-key authentication can be done.
>
> Not clear if there is a risk here. Any delegated tickets are encrypted
> in a key contained in the the Kerberos service ticket. So in effect  
> you have
> authenticated with Kerberos but you still want to authenticate with  
> the
> SSH keys. If this SSH key authentication fails, you have given away  
> the
> delegated tickets.

OpenSSH had (almost) this behaviour, which was considered a security  
flaw, and removed. The problem is that a user can inadvertently give  
away their credentials, by allowing another user to use ssh from  
their console. For example, say that Alice allows Bob to use her  
machine to connect to a server. Bob enters his username and password,  
but ends up with Alice's credentials on the server.

In most Kerberised envrionments, ssh public key is pretty much  
useless, as without Kerberos credentials you can't do anything at all  
- - I'm not sure what the benefit to adding significant additional  
complexity to the protocol to allow their use in these environments is.

S.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFIPZn+qWndc26pXmcRAnE9AJsFPp4JEdUvOx/MaEirqHBeDmjqEQCgpE3b
//bIOF19kBcl9AwAp5xc0ps=
=V8c6
-----END PGP SIGNATURE-----