[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kerberos support in ssh/lsh

To: nisse@lysator.liu.se (Niels Möller)
Subject: Re: kerberos support in ssh/lsh
From: eichin@thok.org (Mark W. Eichin)
Date: 04 Oct 2000 13:18:27 -0400
Cc: heimdal-discuss@sics.se, bg@sics.se
In-Reply-To: nisse@lysator.liu.se's message of "04 Oct 2000 15:29:31 +0200"
References: <nn8zs4vio4.fsf@sture.lysator.liu.se>
Sender: owner-heimdal-discuss@sics.se

> server tries to get a kerberos ticket on the client's behalf, and if
> that succeeds, the client is considered authorized. It's an extra plus

You've fallen into the standard "screensaver" trap, also known as the
"Zanarotti Attack".  This design-flaw-exploit goes back to the early
(1985 or so) versions of ksu.

Basically, getting a TGT and successfully decrypting it *MEANS
NOTHING* in regard to security.  The essence of the attack is that at
the same time I send the username to the target machine, I flood it
with "kdc responses" that are encrypted in a password/key I know.  The
server then sends off the TGT request, reads an answer, gets the one I
sent; tries to decrypt it with the password I supply, and succeeds.
*boom*.

The fix is straightforward: actually *perform* an authentication step
(krbtgt fetching isn't one.)  Usually this means turning around and
getting a ticket for host/(local host name), *and validating it*
against the keytab/srvtab.  You should find code in login to take care
of all of these details, in fact it should be abstracted out into an
API of its own (see Marc Horowitz' work in Cygnus V5 Kerbnet, years
ago.)

> 3. fork() and exec() the real kinit program. To do this, the interface

Perhaps you instead need to fork/exec a real *login* program, and pass
the decision (and the rest of the login process) off to it...

> Suggestions on how to support kerberos the Right Way (i.e. have the
> client transmit a kerbetros ticket rather than a password) would also

Yes, both using *and optionally forwarding* a ticket is what people
expect from krb5 ssh (at least that's what the version used at MIT
Athena already supports.)

> I'll appreciate any advice. I'd also like to know if there is any docs
> that can help me get started with kerberos. I have had a quick look at

You might also get the documentation tree from MIT Kerberos, which
doesn't have export restrictions itself... comp.protocols.kerberos has
a useful FAQ, or at least used to, with pointers to list archives and
tutorials.
			_Mark_ <eichin@thok.org>
			The Herd Of Kittens

Follow-Ups:
- Re: kerberos support in ssh/lsh
  - From: Brian May <bmay@csse.monash.edu.au>
- Re: kerberos support in ssh/lsh
  - From: nisse@lysator.liu.se (Niels Möller)

References:
- kerberos support in ssh/lsh
  - From: nisse@lysator.liu.se (Niels Möller)

Prev by Date: kerberos support in ssh/lsh
Next by Date: Re: kerberos support in ssh/lsh
Prev by thread: kerberos support in ssh/lsh
Next by thread: Re: kerberos support in ssh/lsh
Index(es):
- Date
- Thread