Slashdot Mirror
Kerberos Support In OpenSSH
Dan writes "Marshall Vale writes on behalf of the MIT Kerberos team and several other parties interested in the availability of Kerberos authentication for the SSH protocol. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Marshall says that Kerberos support within OpenSSH may be incomplete and needs more work. In particular, implementing draft-ietf-secsh-gsskeyex in addition to any other Kerberos mechanisms will better serve the needs of Kerberos community. Secondly, he says that they would like to reduce user confusion associated with all of the different options for Kerberos and SSH. He suggests adoption of the GSSAPI key exchange mechanism in the IETF draft (which uses Kerberos to authenticate both parties to each other), in order to avoid man-in-the-middle attacks."
Is there any advantage to using this over the already-usable RSA key authentication in SSH?
To avoid moronic passwords being captured over cleartext telnet or ftp sessions, I think telnet and ftp should be disabled across the world with very limited exceptions. All UNIX and Linux distros should have cleartext protocols disabled by default. Once one account is comprised, the rest of a system usually goes very easily. Regardless of adding Kerberos support in OpenSSH, any kind of ssh or sftp connection immediately improves the worldwide crackability situation. (and yes, I just made up the word crackability=ease of access for crackers)
Why do I h8 apple?
Linux has had Kerberos and IPSec for long time, too. This is not a Linux vs. Windows thing, it is about the best way to use Kerberos authentification for SSH.
Jan
By the way, I've been using Kerberos in Slackware Linux in 1996. Does it fell to your definition of "forever"?
Less is more !
Moderators on crack again?
Unix systems have had Kerberos forever, via both commercial implementations and the MIT reference implementations. Linux DISTRIBUTIONS largely haven't had them, but that's because of the hassles with US export controls in place until recently. Anyone likely to use Kerberos also knew how to build the MIT reference implementation from scratch, if necessary.
Windows is actually a "Johnny-come-lately" - I had been working on unofficial Debian packages of the MIT Krb5 packages for about 3 years when MS announced Windows would use Kerberos in new products, and as usual they attempted to add their own unpublished proprietary crap to it. I (and many other people) didn't mind them adding add'l field specific to the W2K client model, but there was no need for the initial draconian non-disclosure policies.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
it would be funny if there was a goatse article on slashdot, and all the goatse trolls were on topic.
IS is possible to log in to an Active Directory Domain and use those credntials for Kerberos. I am not an expert on this but AFAIK Microsft uses a somewhat bastartized version of Kerberos for Active Directory. I am interested in tusing thos tickets to authenticate with Normal SSH (the Windows version from SSH Labs) from my Windows box. Is this possible?
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
There are other parties interested in Kerberos?
Idol Star Astronomer
Yes it is BSD, it's an OpenBSD project.
Spyder
i have a mod for putty that can do gssapi+kerberos auth for users. windows client to the linux/unix openssh servers.
we're beta testing (or will start soon) but it works!
respond if you're interested...
...or maybe not.
I think telnet and ftp should be disabled across the world with very limited exceptions. All UNIX and Linux distros should have cleartext protocols disabled by default.
I would agree 100% with this, some *NIX flavours do this already, notable NetBSD and OpenBSD, and I suspect FreeBSD does also, though TBH that's guessing. With SSH available there really is no need that I can think of off hand (I'm sure someone can think up a counter argument) for telnet to still exist, and the only reason for plain ftp to still exist is because all those fully featured ftp clients (download managers, resumers, etc) are implemented with plain ftp instead of sftp. If they are well enough written however, it shouldn't take much effort to re-write these to use sftp instead. While Kerberos is a definate improvement, the difference between telnet and SSH is far huger than the difference between SSH without Kerberos and SSH with Kerberos.
Disclaimer: The above comment was made while under the influence of too much coding and not enough sleep.
Does this mean we might get afs token forwarding for SSHV2? (I actually *read* the article, and couldn't glean that out of it.) Currently it appears to be possible to get afs token forwarding, but only for SSHV1. Proper token forwarding would enable ssh deployment in an afs shop.
Or with Kerberos authentication does token forwarding no longer matter, because it's not needed?
The living have better things to do than to continue hating the dead.
Well, Pop3 can be fairly secure, pop3 over ssl.
I have my own SMTP & pop3 server, and I have compiled my POP3 daemon with ssl support, and I use outlook to connect, securely on pop3, at least no cleartext password exchange there.
Althought it doesn't change anything in the man-in-the-middle problem.
One problem only, as the SSL certificate has been signed by myself, when outlook reconnect to the server first time it is run, it says the certificate is unknown.
So exactly what advantage does this have over
rlogin -x $HOSTNAME
? I'm talking about the Kerberized rlogin, of course (possibly known as krlogin to some of you linux users). The -x means to force encryption of the entire session.
kerberos authentication via gssapi in openssh was available in linux before it was available in windows. i know, cause i did some of the work.
...or maybe not.
OpenSSH has also been modified to support the Grid Security Infrastructure (GSI) used by Globus.
The ssh-krb5 package has been in debian for, well, years... it works OK .. ironically I'm ditching kerberos soon because it's a lot of hassle, since the token keeps expiring at precisely the wrong moment just as I want to do something, plus it's difficult to switch users since you can only have one ticket at a time - PKI with forwarding is a lot easier.
I am unable to get to the article (slashdotted) but there is an already existing GSSAPI patch for OpenSSH here: patch.
.. is two doors down on the left.
$ find
Kerberos authentication has been in openssh for a while, IIRC. What openssh lacks is kerberos ticket passing. Authentication works by validating your kerberos ticket against a KDC, or validating your password against the KDC. #2 has been there. I believe #1 has as well. Ticket passing allows your ticket to be forwarded to the next server, so you can *again* login in to another system. If you don't pass tickets, you need to kinit on each system before you can ssh.
And BTW, kerberos 5 sysadmins can disable non-encrypted services, so rsh/rlogin/telnet/ftp/etc can mandate encryption or fail the connections.
Now all they have to do is make Kerberos as easy to install as openssh. Last time I had to deal with kerberos, it was like removing my own spleen. And it never even worked well when I used it -- like most other MIT standards, it was a pig and had an archaeic interface. And the expiration mechanism still sucks.
I've finally had it: until slashdot gets article moderation, I am not coming back.
"draft-ietf-secsh-gsskeyex"
Yeah! Well, your mother!
..implementing draft-ietf-secsh-gsskeyex in addition to ..
Ahh yes. draft-ietf-secsh-gsskeyex.
Encryption so secure you need a key just to decipher the name!
:)
I welcome our new 99% overlords.
I often hear about man-in-the-middle attacks in theory but I've heard of one in practice. Can someone point me to some documentation about an incident where data was compromised by a MITM?
I know that telnet is still necessary in some settings due to legacy accounting systems (the particular one I have in mind is by HP, IIRC) that simply don't have a replacement. It can also be used to remotely configure some printers and routers, which shouldn't be accessible (via login) from the outside anyway.
The telnet client can also be used as a diagnostic tool, though netcat is better.
WMBC freeform/independent online radio.
This is great news for government sites/labs where Kerberos with pre-hardware authentication (SecureID) is standard or even mandated. As it is, many sites have to remove the existing ssh installation, only to install a custom Kerberized version of ssh.
(e.g. http://kirby.hpcmp.hpc.mil/)
Having Kerberos in the default install should ease one of the many headache's government sysadmins have to endure.
Cheers!
Sean
Since Kerberos was clearly developed with intent to run on the Unix platform, it is therefore a "derivative work" of Unix, and hence automatically becomes the Intellectual Property of SCO. You can be certain SCO is now *very* interested in the matter.
The problem is that the current version of OpenSSH does an aklog with krb4, which may or may not work without additional patching (i.e. changing the aklog code to use krb5) depending on how your sshd handles the krb libs.