Openssh + AFS
Simon Wilkinson
sxw at inf.ed.ac.uk
Thu May 29 03:44:30 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28 May 2008, at 17:19, Douglas E. Engert wrote:
>>
>> I would like to propose an initial credential exchange phase. The
>> client
>> might send ticket, x509-creds, afs-tokens or whatever. This should
>> not
>> authenticate the user, but help in authentcation with other methods.
>> If activation of these credentials allows access to the AFS home dir,
>> standard ssh-key authentication can be done.
>
> Not clear if there is a risk here. Any delegated tickets are encrypted
> in a key contained in the the Kerberos service ticket. So in effect
> you have
> authenticated with Kerberos but you still want to authenticate with
> the
> SSH keys. If this SSH key authentication fails, you have given away
> the
> delegated tickets.
OpenSSH had (almost) this behaviour, which was considered a security
flaw, and removed. The problem is that a user can inadvertently give
away their credentials, by allowing another user to use ssh from
their console. For example, say that Alice allows Bob to use her
machine to connect to a server. Bob enters his username and password,
but ends up with Alice's credentials on the server.
In most Kerberised envrionments, ssh public key is pretty much
useless, as without Kerberos credentials you can't do anything at all
- - I'm not sure what the benefit to adding significant additional
complexity to the protocol to allow their use in these environments is.
S.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFIPZn+qWndc26pXmcRAnE9AJsFPp4JEdUvOx/MaEirqHBeDmjqEQCgpE3b
//bIOF19kBcl9AwAp5xc0ps=
=V8c6
-----END PGP SIGNATURE-----
More information about the openssh-unix-dev
mailing list