host/*@REALM tickets with ssh, DNS
Josh Huber
huber at alum.wpi.edu
Fri Aug 9 13:55:22 EDT 2002
Thanks for the reply...
Dennis Davis <ccsdhd at bath.ac.uk> writes:
>>From: Josh Huber <huber at alum.wpi.edu>
>>Newsgroups: gmane.comp.encryption.kerberos.general
>>Subject: host/*@REALM tickets with ssh, DNS
>>Reply-To: Josh Huber <huber+dated+1029271255.ad7bce at alum.wpi.edu>
>>Date: Fri, 09 Aug 2002 11:38:30 -0400
>
> ...
Hmm, I would have thought gmane would re-write those headers?
(i.e. remove the Newsgroups header...)
This is the first time I've actually posted through gmane, was there
something wrong with it? (please reply privately about this...)
If this is causing trouble, I'll just subscribe to the list.
> Probably nothing wrong. I've often seen this with KerberosIV and
> some KerberosV code contains comments that indicate that this will
> happen. To quote:
>
> * Verify the Kerberos ticket-granting ticket just retrieved for the
> * user. If the Kerberos server doesn't respond, assume the user is
> * trying to fake us out (since we DID just get a TGT from what is
> * supposedly our KDC). If the host/<host> service is unknown (i.e.,
> * the local keytab doesn't have it), return success but log the error.
>
> ... and I'm sure others will provide a better explanation.
Hmm, for some reason this doesn't really help me at all. Perhaps I'm
being dense. The main concern I had was based on the understanding
that things work this way:
1) I prove my identity to the KDC and am issued a ticket.
2) The ssh daemon proves it's identity to the KDC using the stored
keytab file (which I do NOT have permissions to), and is issued a
ticket.
3) Each entity (myself and the sshd) can communicate with eachother
securely, knowing that the KDC authenticated each member in the
communication.
Now, if I have a ticket for host/hostname at REALM, doesn't this mean
that I could prove (wrongly) that I am that princiapl, or am I off
base here? It just seems like I shouldn't be able to authenticate as
that principal unless I know the key. (or have permissions to read the
keytab file).
Thanks again,
--
Josh Huber
More information about the Kerberos
mailing list