[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kerberos support in ssh/lsh

> server tries to get a kerberos ticket on the client's behalf, and if
> that succeeds, the client is considered authorized. It's an extra plus

You've fallen into the standard "screensaver" trap, also known as the
"Zanarotti Attack".  This design-flaw-exploit goes back to the early
(1985 or so) versions of ksu.

Basically, getting a TGT and successfully decrypting it *MEANS
NOTHING* in regard to security.  The essence of the attack is that at
the same time I send the username to the target machine, I flood it
with "kdc responses" that are encrypted in a password/key I know.  The
server then sends off the TGT request, reads an answer, gets the one I
sent; tries to decrypt it with the password I supply, and succeeds.

The fix is straightforward: actually *perform* an authentication step
(krbtgt fetching isn't one.)  Usually this means turning around and
getting a ticket for host/(local host name), *and validating it*
against the keytab/srvtab.  You should find code in login to take care
of all of these details, in fact it should be abstracted out into an
API of its own (see Marc Horowitz' work in Cygnus V5 Kerbnet, years

> 3. fork() and exec() the real kinit program. To do this, the interface

Perhaps you instead need to fork/exec a real *login* program, and pass
the decision (and the rest of the login process) off to it...

> Suggestions on how to support kerberos the Right Way (i.e. have the
> client transmit a kerbetros ticket rather than a password) would also

Yes, both using *and optionally forwarding* a ticket is what people
expect from krb5 ssh (at least that's what the version used at MIT
Athena already supports.)

> I'll appreciate any advice. I'd also like to know if there is any docs
> that can help me get started with kerberos. I have had a quick look at

You might also get the documentation tree from MIT Kerberos, which
doesn't have export restrictions itself... comp.protocols.kerberos has
a useful FAQ, or at least used to, with pointers to list archives and
			_Mark_ <eichin@thok.org>
			The Herd Of Kittens