[OpenAFS] ssh and afs

Dr A V Le Blanc Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Tue, 7 May 2002 12:20:13 +0100


On Sat, 04 May 2002 at 14:34:09, Ray Link <rlink+@pitt.edu> wrote:
> In older (pre-2.9, iirc) versions of OpenSSH, it would pass your AFS
> token across during the authentication phase
...
> Currently, however, OpenSSH doesn't accept passed AFS tokens until
> after authentication has already taken place.
...
> The general
> consensus is that this was changed because passing an AFS token before
> actual authentication happened was seen as a security risk.

I'm not sure how many AFS site managers who use OpenSSH have been
consulted.  In any case, as far as I can see, the AFS support in
OpenSSH doesn't work with a default Transarc-style setup, since it
contains a test which the Transarc kaserver fails.

Part of the risk of using token-passing is that you have to trust
the system administrator of the machine to which you are connecting.
It seems to me that, given the protection of the host key, and
given that the default action is _not_ to pass AFS tokens, the old
behaviour of OpenSSH was not at fault.  If the machine or its
administrator is dodgy, and you are forced to send your password
to him/her/it in a recoverable form, the new policy is in fact
riskier, since the password can be used to acquire new tokens (unless
you change your password after every ssh use, which is unlikely),
while the token has a limited life.

     -- Owen
     LeBlanc@mcc.ac.uk