Is a replay attack possible when using SSH2(or other protected service) as the kerberized service?

Henning Horst horst.h at
Fri Jul 22 16:42:55 EDT 2011

Thanks Nico for your remarks, too !! I really appreciate these swift
responses from you guys!! Thanks again, and have a nice weekend as well!!


On 07/22/2011 08:09 PM, Nico Williams wrote:
> No replay attack is possible against SSHv2 with gssapi-with-mic nor
> gssapi-keyex, not in SSHv2 itself.  This is true regardless of whether
> the server uses a replay cache.  The MIC token used serves to ensure
> this since it authenticates a quantity that is not fully under control
> of the client (nor the server), that being the SSHv2 session ID (which
> is derived from the SSHv2 key exchange and key exchange messages).
> However, if you do also use rsh or rlogin and don't require that the
> session be protected, then it could be possible to replay a Kerberos
> GSS excehange from SSHv2 in rsh/rlogin, but only if the attacker could
> get their hands on those context tokens.  The only attacker that could
> do that is the client, and the client can always try a replay attack
> anyways, which are to be defeated via replay caching on the
> server-side.
> If you had nothing but SSHv2 services using the "host" service then
> you could technically forgo the replay cache altogether on the
> server-side because the way SSHv2 uses GSS is impervious to replays.
> Nico
> --

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
Url :

More information about the krbdev mailing list