[OpenAFS] OpenSSH 3.5p1 + ~/.shosts + token passing?

steve rader rader@ginseng.hep.wisc.edu
Mon, 11 Nov 2002 06:41:10 -0600


 > > steve rader <rader@ginseng.hep.wisc.edu> writes:
 > > Is there some compelling reason why tokens should be
 > > passed after auth?  I'd rather make new ssh servers
 > > compatable with existing clients because I'd rather
 > > not upgrade a bunch of clients.

 > From: Derek Atkins
 > Tokens are usable by whomever has them.  If you pass your token before
 > you authenticate the server, then you could be passing your token to a
 > man-in-the-middle or any other third party.  Once you do that, they
 > are effectively YOU until your tokens expire.

Ahh.  Has this problem ever actually be exploited?

 > This is why the "OLD" protocol was considered insecure.  You want to
 > remove security for convenience??

See the Subject line: I want to do rhosts with AFS
passing token.  Is it possible with stock OpenSSH
3.5p1?  If so, how?

There is always a trade-off 'tween security and
convenience, right?  Correct me if I'm wrong, but it
looks like your patch is the way to go if your notion
of security vs convenience (rightfully) falls on the
security end of the spectrium.

steve 
- - - 
systems & network guy
high energy physics
university of wisconsin