[19599] in Athena Bugs
Re: access_on documentation bugs, security concerns
daemon@ATHENA.MIT.EDU (Christopher D. Beland)
Sat Aug 11 11:28:53 2001
Message-Id: <200108111528.LAA40122@whack-a-mole.mit.edu>
To: Greg Hudson <ghudson@MIT.EDU>
cc: "Christopher D. Beland" <beland@MIT.EDU>, bugs@MIT.EDU, ostock@MIT.EDU
In-reply-to: The events that comprise the history of the universe.
Date: Sat, 11 Aug 2001 11:28:46 -0400
From: "Christopher D. Beland" <beland@MIT.EDU>
> Because public workstations can't keep a secret ssh key.
Ah, so one would have to hack something where it generated a new one
every time someone wanted to log in.
> I'd be happy to disable it, but I don't know if that would irritate
> users too much. It's not like you can log in remotely as a user
> without sending your password over the net in the clear.
Not even forwarding Kerberos tickets? I guess not, since public
machines don't have srvtabs.
It seems even less wise to encourage people to send their password in
the clear over the network, even if it is in a cluster...
> > the message includes the host they are coming from, and perhaps
> > their real username, if retrievable
>
> It's not going to be retrievable in any secure way, since you don't
> authenticate when you log in as root with the root password.
I was imagining some fanciful scenario whereby the machine that the
request is coming from is fingered, or somesuch. But you're right,
that's not secure. And simply knowing that your tickets have been
stolen is of course less desirable than stopping them from being
stolen in the first place.
I've just had a thought. Would it be possible to use the existing
/etc/athena/access mechanism to enable ssh (presumably disabling
telnet altogether, since as you point out, you have to send your
password in the clear)?
By default, /etc/athena/access might contain:
---
* l Public workstation; use access_on to enable remote logins.
root l Public workstation; no remote root access allowed.
# For security reasons, do not remove or change the above line. The
# public Athena root password is widely known. Strangers who gain
# root access to this machine will be able to steal your Keberos
# tickets, and thus pretend to be you until they expire.
---
"access_on beland" might add the line:
beland rl
...generate a new host key, and restart sshd if need be. access_off
would simply put the file back to its original state. "access_on
root" would generate a warning or error. Typing "access_on" while
someone was already logged on would perhaps need to drop the
connection, because the host key would change as a result, but that
seems a small price to pay for security. Not to mention the
convenience of being able to use "scp" between workstations, since
they don't have a configured ftpd.
-B.
