Is a replay attack possible when using SSH2(or other protected service) as the kerberized service?

Henning Horst horst.h at
Fri Jul 22 05:18:08 EDT 2011

Hi Mailinglist,

I would like to ask the following:

Is a replay attack possible when using SSH2+method with gssapi-with-mic
as the kerberized service? Or to put it more general:
Is it possible to do a replay attack against the application server when
the connection between the client and the application server is secured

From what I've read and learned from the Kerberos protocol - the answer
is NO, but I would really appreciate confirmation or correction on that.

In RFC4120, section 3.2.2, , "Generation of a KRB_AP_REQ" it says:

"  To use a ticket, the client constructs a new Authenticator from the
   time and its name, and optionally from an application-specific
   checksum, an initial sequence number to be used in KRB_SAFE or
   KRB_PRIV messages, and/or a session subkey to be used in negotiations
   for a session key unique to this particular session.  Authenticators
   MUST NOT be re-used and SHOULD be rejected if replayed to a server."


1 - Authenticator is always generated on client and only send to
application server.

2 - If this connection is secured properly there should be no way of
stealing the authenticator

3 - If this connection is secured properly there should be no way of
stealing the service ticket

4 - The service ticket can also not be stolen from within the
KRB_TGS_REP because that packet is encrypted with the client's key

From 1-4 and the assumption that the connection is secured properly,
there should be no way of doing a replay attack against the application
server. Please confirm or correct!

Now regarding the secure connection:

In the concrete case from me it is an SSH2 connection (maybe there are
some ssh2 experts around here as well). The Kerberos exchange between
the client and the server is done via the method gssapi-with-mic (rfc
4462). Here it is relatively obvious that this connection is  secure
since gssapi-with-mic takes place on SSH layer 2 - [SSH-AUTH]. If the
SSH2 connection state comes to this subprotocol the [SSH-TRANS]
sub-protocol has already established a secure transport connection, esp.
providing server authentication, encryption and integrity.

Thus - replay attack against the application server is not possible when
the client to server connection uses SSH2 with gssapi-with-mic. Please
confirm or correct!

Last but not least  - what about if using SSH2 authentication method
gssapi-keyex (rfc 4462) ? In this method the Diffie-Hellman key exchange
(SSH2 layer 1 [SSH-TRANS]) is done based on GSS, with security service
Kerberos in this case. The actual user authentication (SSH2 layer 2
[SSH-AUTH]) is then based on that key exchange. How about a replay
attack in that scenario?

Thanks a lot in advance,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
Url :

More information about the krbdev mailing list