svn commit: r279603 - in head: bin/rcp usr.bin/rlogin usr.bin/rsh

[Slawa Olhovchenkov]

On Thu, Mar 05, 2015 at 08:14:59PM -0500, Benjamin Kaduk wrote:

> On Thu, 5 Mar 2015, Slawa Olhovchenkov wrote:
> 
> > On Thu, Mar 05, 2015 at 10:11:43AM -0500, Benjamin Kaduk wrote:
> >
> > > On Thu, Mar 5, 2015 at 9:40 AM, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote:
> > >
> > > Speaking as an upstream maintainer: don't use kerberized telnet.
> >
> > I am use this for test kerberos setup (check all setup correctly).
> 
> I use ssh to test kerberos setups (I think sshd has better error message,
> for one).

I don't see any error message from ssh (about kerberos), ssh just ask
password if any problem. What a problem? Silent.
For debug ssh+kerberos I need stop sshd and run sshd with -D and -d.
And in this case debug messages very stranges for me.
Also, telnet use less dependes and less restrictions. This is good for
step-to-step debug.

> The problem with using telnet to test the kerberos setup is that if your
> kerberos setup works with telnet, you have the DES enctypes (weak
> cryptography) enabled.  This means that the whole setup, even things
> other

What you talk about DES? I don't see nothing about AES/DES/etc in krb5.conf.

> than telnet, are suffering from the vulnerabilities of weak crypto.
> Kerberos distributions have disabled DES by default for many years, now --
> Apple has even completely removed the code for them from recent releases
> of OS X!  Please see RFC 6649.

I don't enable DES. And I have working kerberized telnet. What you
talk about?

> > > I use kerberized ssh all the time; please tell me more about how it is
> > > broken (a new thread would be best).
> >
> > kerberized ssh broken in SSO mode: you can't do ssh login to
> 
> I have a very different idea of what "SSO mode" means: I run kinit on my
> local machine and then use kerberos to authenticate to remote
> services.  I

SSO (for me) is from Windows world: you login in desktop and don't
need to enter password anymore.

> should never type my password at something which is not a trusted local
> binary.

As I know, you can't use kerberos outside controled perimeter (with
working NTP sync, revers DNS and etc). I.e. from random [network]
place you can't run kinit on local machine [notebook] and use kerberos
to ssh login.

For may case this is requirement.

And for untrusted binary -- why don't use kerberos with OTP?

> > kerberized host (from outside world), input kerberos password and use
> > kerberos ticket.
> 
> "input kerberos password and use kerberos ticket" doesn't make sense --
> you are not using your kerberos ticket; you are using your password.
> PAM

I am use kerberos ticket for passwordless login to internal hosts
(after using password for login to gateway host).

> is going off and getting a ticket, sure (and hopefully validating it
> against the host keytab to avoid the Zanarotti attack!), but it is
> starting with your password.  That is completely at odds with how Kerberos
> is intended to be used.

Sorry, I don't understand you. Can explain?

> > This is issuse between PAM and ssh thread emulation.
> 
> It does seem likely that this sort of thing would be an issue with PAM,
> yes.  I am not particularly motivated to look into it, though.

> I do recall some issue where sshd in capsicum mode was not allowed to read
> the keytab in order to verify the supplied Kerberos credentials, which
> required using UsePrivilegeSeparation=yes instead of the default value
> (sandbox).  Perhaps that would affect the password mode of operation as
> well.

Currently, sshd for PAM (and kerberos PAM) fork child. Got ticket in
this child. And try to save ticket in parent (unsuccessful, of
course). As result -- I don't have valid ticket after ssh login.