[26774] in Athena Bugs
9.4.23: ssh -k prompts for password
daemon@ATHENA.MIT.EDU (John Hawkinson)
Sat Mar 25 18:33:42 2006
Date: Sat, 25 Mar 2006 18:33:27 -0500 (EST)
Message-Id: <200603252333.k2PNXR0Y005534@multics.mit.edu>
To: bugs@mit.edu
From: John Hawkinson <jhawk@mit.edu>
X-Spam-Score: 1.217
X-Spam-Level: * (1.217)
X-Spam-Flag: NO
Errors-To: bugs-bounces@mit.edu
Apparently "ssh -k" prompts the user for their password on login.
This is, IMO, broken.
ssh -k performs Kerberos authentication but not ticket forwarding.
In general, this is going to lead to a broken environment, but that's
OK, in general people shouldn't be doing it unless they have a compelling
cause.
It is not a good idea to encourage users to send their passwords to remote
machines -- if they have used ssh -k unintentionally, they should abort
the session and login without it. Ticket forwarding is vastly more secure
than password forwarding, and the latter should be strongly discouraged.
The prior art here is rlogin -x, of course, which gives you a broken
login unless you rkinit (deprecated :))
Discussion with the linux dialup people suggests that this is not the
default ssh configuration (or something).
--jhawk
