ssh-krb5 problems

Douglas E. Engert deengert at anl.gov
Wed Sep 22 10:32:56 EDT 2004



rachel elizabeth dillon wrote:

> I just tested this properly with a 1.3.4 implementation I built for someone else
> recently; I was incorrect. The only time that the KDC is not queried is if you
> do not have tickets to begin with. If you have valid realm tickets but try to
> log in with something like "ssh -l fakename valid.host.com", the KDC will 
> be queried. I expect this is probably reasonable behavior in both cases.
> (The KDC _will_ be queried if you are using PAM to authenticate via Kerberos
> with password-interactive, also.)
> 
> Sorry to mislead; I tested briefly but didn't actually check to see if I had
> tickets before I did so.
> 

There is still a leak in the gssapi case. Using SecureCRT to OPenSSH-3.9 with a
local user not in the /etc/passwd file, the client shows:

[LOCAL] : RECV : SSH_MSG_USERAUTH_BANNER
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-with-mic,password,keyboard-interactive]
[LOCAL] : GSS SPN : host at orleans.ctd.anl.gov
[LOCAL] : [GSS/1.2.840.113554.1.2.2] : This mechanism might work.
[LOCAL] : [GSS/1.3.5.1.5.2] : This mechanism might work.
[LOCAL] : SENT : USERAUTH_REQUEST [gssapi-with-mic]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-with-mic,password,keyboard-interactive]

Using a valid user in /etc/passwd but with a principal not in the user's .k5login:

[LOCAL] : GSS SPN : host at orleans.ctd.anl.gov
[LOCAL] : [GSS/1.2.840.113554.1.2.2] : This mechanism might work.
[LOCAL] : [GSS/1.3.5.1.5.2] : This mechanism might work.
[LOCAL] : SENT : USERAUTH_REQUEST [gssapi-with-mic]
[LOCAL] : [GSS/1.2.840.113554.1.2.2] : Using this mechanism.
[LOCAL] : GSS  : Requesting full delegation
[LOCAL] : SENT : USERAUTH_GSSAPI_TOKEN [2604 bytes]
[LOCAL] : SENT : SSH_MSG_USERAUTH_GSSAPI_MIC
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-with-mic,password,keyboard-interactive]

In the first case, it failed at the negotiate phase, before any tickets where
obtained. in the second it failed after getting tickets, and sending the gss session was
established.


> -r.
> 
> 
> On Tue, Sep 21, 2004 at 07:20:10PM -0400, Ken Raeburn wrote:
> 
>>On Sep 21, 2004, at 17:29, rachel elizabeth dillon wrote:
>>
>>>1. Are you trying to ssh as a user that exists on the other machine?
>>>If the user does not exist in the other machine's /etc/passwd, then
>>>I don't believe the KDC will ever be queried.
>>
>>That sounds like an undesirable leak of information from the server, if 
>>that's true.
>>
>>Ken
>>
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list