Date: Thu, 5 Mar 2015 20:14:59 -0500 (EST) From: Benjamin Kaduk <kaduk@MIT.EDU> To: Slawa Olhovchenkov <slw@zxy.spb.ru> Cc: Benjamin Kaduk <bjkfbsd@gmail.com>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "src-committers@freebsd.org" <src-committers@freebsd.org> Subject: Re: svn commit: r279603 - in head: bin/rcp usr.bin/rlogin usr.bin/rsh Message-ID: <alpine.GSO.1.10.1503052000210.3953@multics.mit.edu> In-Reply-To: <20150305151732.GA48476@zxy.spb.ru> References: <20150305123016.GO48476@zxy.spb.ru> <20150305123053.GN17947@FreeBSD.org> <20150305123349.GP48476@zxy.spb.ru> <20150305123548.GO17947@FreeBSD.org> <48981079-C9B7-411D-87A3-5A8F04924314@FreeBSD.org> <AEB33C6A-8824-4345-81E1-95280AB20CFA@FreeBSD.org> <20150305141334.GX48476@zxy.spb.ru> <63BD8258-D2C9-4C94-8A54-63AA104871D9@FreeBSD.org> <20150305144056.GY48476@zxy.spb.ru> <CAJ5_RoBk=5C2%2BMktu_ODc7C%2BNraUhiSprtKd-=3bj%2Bb5UPT_1g@mail.gmail.com> <20150305151732.GA48476@zxy.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 5 Mar 2015, Slawa Olhovchenkov wrote: > On Thu, Mar 05, 2015 at 10:11:43AM -0500, Benjamin Kaduk wrote: > > > On Thu, Mar 5, 2015 at 9:40 AM, Slawa Olhovchenkov <slw@zxy.spb.ru> wrote: > > > > Speaking as an upstream maintainer: don't use kerberized telnet. > > I am use this for test kerberos setup (check all setup correctly). I use ssh to test kerberos setups (I think sshd has better error message, for one). The problem with using telnet to test the kerberos setup is that if your kerberos setup works with telnet, you have the DES enctypes (weak cryptography) enabled. This means that the whole setup, even things other than telnet, are suffering from the vulnerabilities of weak crypto. Kerberos distributions have disabled DES by default for many years, now -- Apple has even completely removed the code for them from recent releases of OS X! Please see RFC 6649. > > I use kerberized ssh all the time; please tell me more about how it is > > broken (a new thread would be best). > > kerberized ssh broken in SSO mode: you can't do ssh login to I have a very different idea of what "SSO mode" means: I run kinit on my local machine and then use kerberos to authenticate to remote services. I should never type my password at something which is not a trusted local binary. > kerberized host (from outside world), input kerberos password and use > kerberos ticket. "input kerberos password and use kerberos ticket" doesn't make sense -- you are not using your kerberos ticket; you are using your password. PAM is going off and getting a ticket, sure (and hopefully validating it against the host keytab to avoid the Zanarotti attack!), but it is starting with your password. That is completely at odds with how Kerberos is intended to be used. > This is issuse between PAM and ssh thread emulation. It does seem likely that this sort of thing would be an issue with PAM, yes. I am not particularly motivated to look into it, though. I do recall some issue where sshd in capsicum mode was not allowed to read the keytab in order to verify the supplied Kerberos credentials, which required using UsePrivilegeSeparation=yes instead of the default value (sandbox). Perhaps that would affect the password mode of operation as well. -Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1503052000210.3953>