Kerberos Support In OpenSSH

Dan writes "Marshall Vale writes on behalf of the MIT Kerberos team and several other parties interested in the availability of Kerberos authentication for the SSH protocol. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Marshall says that Kerberos support within OpenSSH may be incomplete and needs more work. In particular, implementing draft-ietf-secsh-gsskeyex in addition to any other Kerberos mechanisms will better serve the needs of Kerberos community. Secondly, he says that they would like to reduce user confusion associated with all of the different options for Kerberos and SSH. He suggests adoption of the GSSAPI key exchange mechanism in the IETF draft (which uses Kerberos to authenticate both parties to each other), in order to avoid man-in-the-middle attacks."

ssh and telnet

[ih8apple]

To avoid moronic passwords being captured over cleartext telnet or ftp sessions, I think telnet and ftp should be disabled across the world with very limited exceptions. All UNIX and Linux distros should have cleartext protocols disabled by default. Once one account is comprised, the rest of a system usually goes very easily. Regardless of adding Kerberos support in OpenSSH, any kind of ssh or sftp connection immediately improves the worldwide crackability situation. (and yes, I just made up the word crackability=ease of access for crackers)

Windows 2K/XP and KErberos

[tigersha]

IS is possible to log in to an Active Directory Domain and use those credntials for Kerberos. I am not an expert on this but AFAIK Microsft uses a somewhat bastartized version of Kerberos for Active Directory. I am interested in tusing thos tickets to authenticate with Normal SSH (the Windows version from SSH Labs) from my Windows box. Is this possible?

AFS token forwarding for SSHV2?

[dpilot]

Does this mean we might get afs token forwarding for SSHV2? (I actually *read* the article, and couldn't glean that out of it.) Currently it appears to be possible to get afs token forwarding, but only for SSHV1. Proper token forwarding would enable ssh deployment in an afs shop.

Or with Kerberos authentication does token forwarding no longer matter, because it's not needed?

Advantage?

[quantum+bit]

So exactly what advantage does this have over

rlogin -x $HOSTNAME

? I'm talking about the Kerberized rlogin, of course (possibly known as krlogin to some of you linux users). The -x means to force encryption of the entire session.

Re:kerberos+ssh+putty

[ave19]

Okay, I made a throw away email address for this. Send me a note and I'll hook you up the best I can:

kputty@jaccard.us

Thanks!

Kerberos + Windows AD

Personally I would LOVE to see OpenSSH with Kerberos support, but to be honest I'm sure a lot you guys have Windows desktops (or at least a lot of your users do) like me. What I would like to see is a Windows SSH client that supports the Kerberos TGT that Windows gets for you when you sign into an AD domain and actually works. The one from Reflection doesn't seem to work with OpenSSH+kerberos patch.

Re:ssh and telnet, sftp and ftp

[autechre]

I know that telnet is still necessary in some settings due to legacy accounting systems (the particular one I have in mind is by HP, IIRC) that simply don't have a replacement. It can also be used to remotely configure some printers and routers, which shouldn't be accessible (via login) from the outside anyway.

The telnet client can also be used as a diagnostic tool, though netcat is better.

Re:RSA?

[More+Trouble]

The main advantage of using Kerberos for key exchange is the elimination of the known_hosts file, and the tendency for ssh users to accept any old key offered by the server the first time they connect. This common behavior exposes the user to the risk of man-in-the-middle attacks. If I've tricked your stack into connecting to me instead of the host you thought you were getting, I can spoof both ends of the connection and intercept your traffic in the clear.

Sadly, recent implementations of MIT Kerberos automatically reverse DNS names. So, if I can spoof the user's target DNS name to point to my blackhat machine, the Kerberos libraries will cheerfully reverse my IP address to get the Kerberos principle for authentication.

:w

Big win for government

[morrison]

This is great news for government sites/labs where Kerberos with pre-hardware authentication (SecureID) is standard or even mandated. As it is, many sites have to remove the existing ssh installation, only to install a custom Kerberized version of ssh.

(e.g. http://kirby.hpcmp.hpc.mil/)

Having Kerberos in the default install should ease one of the many headache's government sysadmins have to endure.

Re:The previous flamefest over this..

And has there been any attempt by anyone to either

1. Audit the GSSAPI patch and GSSAPI libraries?
2. Split the one large patch into managable, incremental changes?

If not, then Theo's objections still apply, and this whole thing is just more pissing and moaning that "we have a patch and those bastard developers are ignoring us."

Support OpenSSH development...

Support the OpenSSH developers by getting a 3.3 CD $40 or for Europe EUR 45

There is a new Tshirt: 3 .3 Tshirt $20 or for Europe EUR 20

The new 3.3 poster is very nice too, get it for $10 US or EUR 14 in Europe

Support OpenSSH, have a look at this new Tshirt OpenSSH 2 $20 or for Europe EUR 20

thank you.