[16809] in Kerberos_V5_Development
Re: SSH mediated Kerberos authenticated sudo.
daemon@ATHENA.MIT.EDU (Frank Cusack)
Mon May 16 13:12:59 2011
MIME-Version: 1.0
In-Reply-To: <201105130708.p4D78YBj025597@wind.enjellic.com>
Date: Mon, 16 May 2011 10:10:29 -0700
Message-ID: <BANLkTikWFX3u=ykfxk3ANSZ792FyrmT9_A@mail.gmail.com>
From: Frank Cusack <frank+krb@linetwo.net>
To: g.w@hurderos.org
Cc: krbdev@mit.edu, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, May 13, 2011 at 12:08 AM, <g.w@hurderos.org> wrote:
> The next release will have a PAM module which handles the
> authentication of the forwarded AP-REQ packet. That will eliminate
> the need for the sudo patch and provide a general mechanism for any
> application to leverage this system.
>
That sounds great.
> If the remote application can't be trusted it would seem there is a
> much higher risk associated with running that application then the
> possibility of it obtaining an application specific credential which
> authenticates the user. If the infra-structure was forwarding a TGT
> it would be a different story since in this era of addressless
> tickets that would be a much more valuable entity to obtain.
>
I think one thing that can be done is that since this is a
special/distinguished message, not just stdin/stdout handling, the client
can display a special dialog ala ssh-askpass. As long as X forwarding isn't
on, the client has assurance that they are actually providing their password
locally. If X forwarding is on, the server could still mock up a display.
Of course this would only work at all for clients that can offer more than a
terminal.
If your point is that it may not matter, then why bother with the credential
forwarding at all? If the remote application must be trusted then surely it
can be trusted to handle passwords. Although, I can imagine a use case
where the server can't contact the KDC on its own, due to network
limitations such as being in a DMZ.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
