Is a replay attack possible when using SSH2(or other protected service) as the kerberized service?
Henning Horst
horst.h at derooter.org
Fri Jul 22 16:42:55 EDT 2011
Thanks Nico for your remarks, too !! I really appreciate these swift
responses from you guys!! Thanks again, and have a nice weekend as well!!
Henning
On 07/22/2011 08:09 PM, Nico Williams wrote:
> No replay attack is possible against SSHv2 with gssapi-with-mic nor
> gssapi-keyex, not in SSHv2 itself. This is true regardless of whether
> the server uses a replay cache. The MIC token used serves to ensure
> this since it authenticates a quantity that is not fully under control
> of the client (nor the server), that being the SSHv2 session ID (which
> is derived from the SSHv2 key exchange and key exchange messages).
>
> However, if you do also use rsh or rlogin and don't require that the
> session be protected, then it could be possible to replay a Kerberos
> GSS excehange from SSHv2 in rsh/rlogin, but only if the attacker could
> get their hands on those context tokens. The only attacker that could
> do that is the client, and the client can always try a replay attack
> anyways, which are to be defeated via replay caching on the
> server-side.
>
> If you had nothing but SSHv2 services using the "host" service then
> you could technically forgo the replay cache altogether on the
> server-side because the way SSHv2 uses GSS is impervious to replays.
>
> Nico
> --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20110722/1b5809bc/attachment.bin
More information about the krbdev
mailing list