[26894] in Athena Bugs
Athena ssh too old
daemon@ATHENA.MIT.EDU (Timothy G Abbott)
Sun Jul 16 14:30:18 2006
Date: Sun, 16 Jul 2006 14:27:39 -0400 (EDT)
From: Timothy G Abbott <tabbott@mit.edu>
To: bugs@mit.edu
Message-ID: <Pine.LNX.4.62L.0607161420450.28547@yaz-pistachio.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Score: 3.548
X-Spam-Level: *** (3.548)
X-Spam-Flag: NO
Cc: scripts@mit.edu
Errors-To: bugs-bounces@mit.edu
Hello,
Athena's ssh should support gssapi-with-mic authentication. Currently,
Athena ssh supports only the insecure gssapi authentication mechanism, which
has not available in openssh for a long time, because it is a security bug.
This is a problem for any users running modern linux operating
systems. Users running modern versions of SSH cannot connect to their
machines from Athena using kerberos. Similarly, users with modern
versions of SSH who have tickets on their non-Athena machines cannot
connect to Athena dialups or private workstations using kerberos. Sam's
ssh-krb5 package for Debian seems to be the only ssh supporting both
gssapi and gssapi-with-mic, but it is buggy and out of date. Many linux
distributions do not distribute Sam's ssh-krb5 code, and it receives
limited maintainance.
For security reasons, scripts.mit.edu supports GSSAPI
authentication (without GSSAPI credentials delegation, i.e. ticket
forwarding), but not password authentication. Since we're running a
recent linux distribution with a recent openssh, scripts consequently
supports only gssapi-with-mic authentication. Thus, it is impossible to
login to scripts at all using the default Athena ssh client.
The scripts.mit.edu project worked around this problem by compiling its
own copy of openssh 4.3p2 for Athena. However, it would be nice if the root
problem of Athena running an ssh with a known security problem were to be
fixed.
-Tim Abbott
