Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kerberos Support In OpenSSH

Posted by Hemos on from the broader-support-a-good-thing dept.

Dan writes "Marshall Vale writes on behalf of the MIT Kerberos team and several other parties interested in the availability of Kerberos authentication for the SSH protocol. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Marshall says that Kerberos support within OpenSSH may be incomplete and needs more work. In particular, implementing draft-ietf-secsh-gsskeyex in addition to any other Kerberos mechanisms will better serve the needs of Kerberos community. Secondly, he says that they would like to reduce user confusion associated with all of the different options for Kerberos and SSH. He suggests adoption of the GSSAPI key exchange mechanism in the IETF draft (which uses Kerberos to authenticate both parties to each other), in order to avoid man-in-the-middle attacks."

5 of 122 comments (clear)

  1. Re:Time for Linux to catch up? by tempmpi · · Score: 4, Insightful

    Linux has had Kerberos and IPSec for long time, too. This is not a Linux vs. Windows thing, it is about the best way to use Kerberos authentification for SSH.

    --
    Jan
  2. Re:ssh and telnet by Surak · · Score: 4, Insightful

    Secure IMAP with Kerberos support. :-P

    --
    My journal has hot /. gossip.
  3. Re:ssh and telnet by jarkko · · Score: 5, Insightful

    All UNIX and Linux distros should have cleartext protocols disabled by default.

    I still use telnet, ftp and even rsh as well and I don't feel insecure about it. Transport-mode IPSec between hosts really helps a lot here...

    The "moronic passwords"-issue comes mainly from pop3 and different web-sessions these days. What the world really needs is opportunistic IPSec.

  4. Re:ssh and telnet by isa-kuruption · · Score: 5, Insightful

    I will paraphrase a quote from Mr Bruce Schneier:

    "No matter what security measures you implement, the end users are still the weakest link in the chain."

    I think it speaks for itself. Passwords can be brute forced via secure protocols as well. Passwords can be copied from stick-it notes on people's monitors, or from knowing their maiden name.

    While cleartext protocols should be disabled, many places use them... a LOT. And while I know SSH can replace most of their functionality, many places have scripts that have been running for years that would need man power to rewrite (even if changing only one line) which makes it difficult for many organizations decide this is a priority.

    Heck, I had a hell of a time convincing our organization to move from SSHv1 to SSHv2 due to the man-in-the-middle attacks.

  5. Re:RSA? by Mark+Bainter · · Score: 5, Insightful

    Yes. Scenario: 500 *nix servers, team of 10 administrators. Solution 1: Each user gets a login created on each machine, and then they login, create an ssh key, and distribute the public key to all other machines. Later, when that person leaves, all those keys and all those user accounts get deleted. (Given, you could use NIS/LDAP/etc to try and alleviate the user-account side of the issue. But you didn't mention that as part of your RSA solution, and note that each of these solutions has potential inherent security problems.) Solution 2: Setup kerberos. Authenticate all users for all machines securely from one location. Add and delete user accounts from one location.

    --
    "No nation could preserve its freedom in the midst of continual warfare."
    --James Madison