From owner-svn-src-all@FreeBSD.ORG Fri Mar 6 01:15:13 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 066BAF1A; Fri, 6 Mar 2015 01:15:13 +0000 (UTC) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4B2A661D; Fri, 6 Mar 2015 01:15:12 +0000 (UTC) X-AuditID: 1209190c-f79696d000005933-97-54f8ff985499 Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 84.23.22835.89FF8F45; Thu, 5 Mar 2015 20:15:04 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t261F3lf032013; Thu, 5 Mar 2015 20:15:03 -0500 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t261F0Tj027426 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 5 Mar 2015 20:15:01 -0500 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t261Ex84016617; Thu, 5 Mar 2015 20:14:59 -0500 (EST) Date: Thu, 5 Mar 2015 20:14:59 -0500 (EST) From: Benjamin Kaduk To: Slawa Olhovchenkov Subject: Re: svn commit: r279603 - in head: bin/rcp usr.bin/rlogin usr.bin/rsh In-Reply-To: <20150305151732.GA48476@zxy.spb.ru> Message-ID: References: <20150305123016.GO48476@zxy.spb.ru> <20150305123053.GN17947@FreeBSD.org> <20150305123349.GP48476@zxy.spb.ru> <20150305123548.GO17947@FreeBSD.org> <48981079-C9B7-411D-87A3-5A8F04924314@FreeBSD.org> <20150305141334.GX48476@zxy.spb.ru> <63BD8258-D2C9-4C94-8A54-63AA104871D9@FreeBSD.org> <20150305144056.GY48476@zxy.spb.ru> <20150305151732.GA48476@zxy.spb.ru> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPIsWRmVeSWpSXmKPExsUixG6nrjvj/48Qg1OThC2OPTzKbjHhdbTF n/YpLBZ/Ni1ktWj6soDJgdVjxqf5LB47Z91l9/h5WiiAOYrLJiU1J7MstUjfLoErY+mN96wF vUIVX2Y+Z21g3M7XxcjBISFgIrF+vmYXIyeQKSZx4d56NhBbSGAxk8SjM8ldjFxA9gZGiZ9n d7NBOAeZJJr+9zFCVNVLvHt3mAnEZhHQknjx5jRYN5uAisTMNxvBbBEBdYm1X2+DNTMLvGCU aDo8D6xZWCBA4sHyPrBmTgEDia3LdrKA2LwCDhI9ixqgtr1klvhz9RzYJFEBHYnV+6dAFQlK nJz5BMxmBtq8fPo2lgmMgrOQpGYhSS1gZFrFKJuSW6Wbm5iZU5yarFucnJiXl1qka6iXm1mi l5pSuokRFM6ckjw7GN8cVDrEKMDBqMTDO2Pj9xAh1sSy4srcQ4ySHExKoryyv36ECPEl5adU ZiQWZ8QXleakFh9ilOBgVhLhTfsClONNSaysSi3Kh0lJc7AoifNu+sEXIiSQnliSmp2aWpBa BJOV4eBQkuBV/gfUKFiUmp5akZaZU4KQZuLgBBnOAzS8BKSGt7ggMbc4Mx0if4pRUUqctxMk IQCSyCjNg+uFpZtXjOJArwjzfgCp4gGmKrjuV0CDmYAGa4mBDS5JREhJNTAWMHJ/4RUUvMgS XyO5dcfS3kP1/PEllXLTEk8s/7ue9+pkHT2nsFAGrfOWwpOET55O6jPPfrS08S8f12mZYz2X l77/8m2f8bPkvccWrpbfY2p6s/PiNoU7bhbnSv/s/MJY5uhuoNCSGhcQ/uf9x8chOYuUdgX8 a7cxmf8mSuba0l8vcj8XWE9WYinOSDTUYi4qTgQAnLNskhIDAAA= Cc: Benjamin Kaduk , "svn-src-head@freebsd.org" , "svn-src-all@freebsd.org" , "src-committers@freebsd.org" X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2015 01:15:13 -0000 On Thu, 5 Mar 2015, Slawa Olhovchenkov wrote: > On Thu, Mar 05, 2015 at 10:11:43AM -0500, Benjamin Kaduk wrote: > > > On Thu, Mar 5, 2015 at 9:40 AM, Slawa Olhovchenkov wrote: > > > > Speaking as an upstream maintainer: don't use kerberized telnet. > > I am use this for test kerberos setup (check all setup correctly). I use ssh to test kerberos setups (I think sshd has better error message, for one). The problem with using telnet to test the kerberos setup is that if your kerberos setup works with telnet, you have the DES enctypes (weak cryptography) enabled. This means that the whole setup, even things other than telnet, are suffering from the vulnerabilities of weak crypto. Kerberos distributions have disabled DES by default for many years, now -- Apple has even completely removed the code for them from recent releases of OS X! Please see RFC 6649. > > I use kerberized ssh all the time; please tell me more about how it is > > broken (a new thread would be best). > > kerberized ssh broken in SSO mode: you can't do ssh login to I have a very different idea of what "SSO mode" means: I run kinit on my local machine and then use kerberos to authenticate to remote services. I should never type my password at something which is not a trusted local binary. > kerberized host (from outside world), input kerberos password and use > kerberos ticket. "input kerberos password and use kerberos ticket" doesn't make sense -- you are not using your kerberos ticket; you are using your password. PAM is going off and getting a ticket, sure (and hopefully validating it against the host keytab to avoid the Zanarotti attack!), but it is starting with your password. That is completely at odds with how Kerberos is intended to be used. > This is issuse between PAM and ssh thread emulation. It does seem likely that this sort of thing would be an issue with PAM, yes. I am not particularly motivated to look into it, though. I do recall some issue where sshd in capsicum mode was not allowed to read the keytab in order to verify the supplied Kerberos credentials, which required using UsePrivilegeSeparation=yes instead of the default value (sandbox). Perhaps that would affect the password mode of operation as well. -Ben