Good afternoon, I hope the week is going well for everyone. Since Randy Quaid has recently been in the news I thought I would start this note with his inspirational line from 'Independence Day':
Iiiiiimmmmmmmm bbbbaaaaccccckkkkkk........ :-) I always strive for greatness in my life so as we were going into this holiday season I decided there was probably no greater greatness to aspire to then to be like Simon Wilkinson. To conjure up patches of great usefullness to the Kerberos community which wouldn't have a prayer of being accepted by the SSH community. We got hit with a rather aggressive round of early snow up here in North Dakota so I've been able to spend a fair amount of time cross-country skiing with my golden retriever Izzy. That has given me some time to think about a project which I have been meaning to do for some time. So I've spent the holiday season skiing, snow shoeing, thinking and tinkering to come up with a set of patches which implement support for doing sudo authentication 'right' with respect to the Kerberos authentication model. So as a holiday gift to the Kerberos community at large the following is available: ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.1.0.tar.gz These patches implement an AP-REQ authentication module for sudo and a set of companion patches to the public version of OpenSSH to facilitate the use of this module. There is a README in the tar file which documents the problem these patches attempt to address along with a general architectural overview for how things work. A quick summary: The patches implement a ~s escape sequence in the ssh client which prompts the user for a password to authenticate the creation of an AP-REQ packet for the remote client. Upon successful authentication the packet is conveyed to the server via an SSH local packet type. The patches implement a requirement for a very short 10 second lifetime on the authentication packet. This is to maintain the concept of immediacy of the user on the client side. On login the server creates a temporary file and stores the name of this file in an environment variable named SUDO_CREDENTIAL which is exported into the user's login session. Upon receipt of the AP-REQ packet the server writes the packet into the file so it is available on the remote machine. The user is then prompted for a standard sudo command which uses the AP-REQ packet to authenticate the privilege escalation request. Hopefully all of this will be useful for system administrators at Kerberos sites which enjoy the flexibility of sudo but get vaguely queasy as they type their passwords into remote machines. As the version number indicates these patches are very young so I appreciate all the eyeballs we can get on them due to the nature of the tools involved. The SSH server/client patches run in the unprivileged side of the privilege separation process pair and the kerb5apreq support in sudo uses the barest minimum of root privileges so the security footprint on these should be reasonably small. There is no Heimdal support so if anyone is interested I would gladly accept incrementals to graft on support for those sites as well. Just in general spirit I will probably bolt on some type of Kerberos mediated authorization in the future to keep the conversation lively... :-) Best wishes for a pleasant holiday weekend. As always, Greg Wettstein and Dal-Rhe's Golden Boy Saint Isadore 'Izzy' ------------------------------------------------------------------------------ The Hurderos Project Open Identity, Service and Authorization Management `We're sysadmins. We deal with the inconceivable so often I can clearly see the need to define levels of inconceivability.' -- Rik Steenwinkel ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
