I discovered this about two months ago. I've opted to remove the SUID bit
and not use the .shosts file. If you add the ~/.ssh/identity.pub to
~/.ssh/authorized_keys on the other machine and visa-versa you just need
to do a kinit 1st and you can login password free for the timeout period
set by keberose. I do this on about ten machines here and it works great
with X displays and all.
Carl
On 18-Feb-00 Brian Parent wrote:
> Apologies to those of you who see this twice, I posted
> it first to comp.security.ssh, which I thought would
> also send it to this [EMAIL PROTECTED] list, but it doesn't
> appear to have happened automatically.
>
>
> It looks like in ssh1 1.2.27 code has been added that
> prevents the usage of kerberos authentication if the
> ssh client is installed suid root. Presumably, this
> is to guard against some insecurity. However, if you
> install the ssh client without suid root, you can't
> take advantage of .shosts. So, it seems you're
> left with one or the other, but not both. Or,
> you could use 1.2.26 (or simply comment out the
> appropriate section from 1.2.27 code). However,
> it's not clear whether this opens up a security hole.
> I've searched the mailing list archive, the FAQ, and
> the newsgroup comp.security.ssh archive... no luck.
>
> Perhaps if ssh is suid root and you set an environment
> variable for a kerberos thingy (credential cache file?),
> you can use someone elses credentials to get authenticated?
>
> It seems that judicious use of setuid might allow a secure
> way to enable either .shosts or kerberos authentication,
> using the same suid root binary.
>
> As a kludge, two separate binaries could be installed, where
> the only difference was the suid bit on one, but a more elegant
> solution would be preferable.
------------------------------------------------------------------------
E-Mail: Carl J. Nobile <[EMAIL PROTECTED]>
Date: 18-Feb-00 Phone: 315-453-2912 Ex. 5336
Time: 16:33:32 Fax: 315-453-3052
Software Engineering Group -- AppliedTheory Corp.
224 Harrison Street, 6th Floor, Syracuse, NY 13202
------------------------------------------------------------------------
