rachel elizabeth dillon wrote:
I just tested this properly with a 1.3.4 implementation I built for someone else
recently; I was incorrect. The only time that the KDC is not queried is if you
do not have tickets to begin with. If you have valid realm tickets but try to
log in with something like "ssh -l fakename valid.host.com", the KDC will be queried. I expect this is probably reasonable behavior in both cases.
(The KDC _will_ be queried if you are using PAM to authenticate via Kerberos
with password-interactive, also.)
Sorry to mislead; I tested briefly but didn't actually check to see if I had tickets before I did so.
There is still a leak in the gssapi case. Using SecureCRT to OPenSSH-3.9 with a local user not in the /etc/passwd file, the client shows:
[LOCAL] : RECV : SSH_MSG_USERAUTH_BANNER [LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-with-mic,password,keyboard-interactive] [LOCAL] : GSS SPN : [EMAIL PROTECTED] [LOCAL] : [GSS/1.2.840.113554.1.2.2] : This mechanism might work. [LOCAL] : [GSS/1.3.5.1.5.2] : This mechanism might work. [LOCAL] : SENT : USERAUTH_REQUEST [gssapi-with-mic] [LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-with-mic,password,keyboard-interactive]
Using a valid user in /etc/passwd but with a principal not in the user's .k5login:
[LOCAL] : GSS SPN : [EMAIL PROTECTED] [LOCAL] : [GSS/1.2.840.113554.1.2.2] : This mechanism might work. [LOCAL] : [GSS/1.3.5.1.5.2] : This mechanism might work. [LOCAL] : SENT : USERAUTH_REQUEST [gssapi-with-mic] [LOCAL] : [GSS/1.2.840.113554.1.2.2] : Using this mechanism. [LOCAL] : GSS : Requesting full delegation [LOCAL] : SENT : USERAUTH_GSSAPI_TOKEN [2604 bytes] [LOCAL] : SENT : SSH_MSG_USERAUTH_GSSAPI_MIC [LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-with-mic,password,keyboard-interactive]
In the first case, it failed at the negotiate phase, before any tickets where obtained. in the second it failed after getting tickets, and sending the gss session was established.
-r.
On Tue, Sep 21, 2004 at 07:20:10PM -0400, Ken Raeburn wrote:
On Sep 21, 2004, at 17:29, rachel elizabeth dillon wrote:
1. Are you trying to ssh as a user that exists on the other machine? If the user does not exist in the other machine's /etc/passwd, then I don't believe the KDC will ever be queried.
That sounds like an undesirable leak of information from the server, if that's true.
Ken
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
