I have no problem making it work with kerberos authentication, I just
remove the suid bit. Unfortunately, we have the need to provide both
kerberos type authentication via ssh, and .shosts (passwordless, non-kerberos),
authentication.
Re:
> Date: Fri, 18 Feb 2000 16:40:21 -0500 (EST)
> From: "Carl J. Nobile" <[EMAIL PROTECTED]>
> To: Brian Parent <[EMAIL PROTECTED]>
> Subject: RE: ssh1 with kerberos and .shosts possible?
> Cc: [EMAIL PROTECTED]
>
> I discovered this about two months ago. I've opted to remove the SUID bit
> and not use the .shosts file. If you add the ~/.ssh/identity.pub to
> ~/.ssh/authorized_keys on the other machine and visa-versa you just need
> to do a kinit 1st and you can login password free for the timeout period
> set by keberose. I do this on about ten machines here and it works great
> with X displays and all.
>
> Carl
>
> On 18-Feb-00 Brian Parent wrote:
> > Apologies to those of you who see this twice, I posted
> > it first to comp.security.ssh, which I thought would
> > also send it to this [EMAIL PROTECTED] list, but it doesn't
> > appear to have happened automatically.
> >
> >
> > It looks like in ssh1 1.2.27 code has been added that
> > prevents the usage of kerberos authentication if the
> > ssh client is installed suid root. Presumably, this
> > is to guard against some insecurity. However, if you
> > install the ssh client without suid root, you can't
> > take advantage of .shosts. So, it seems you're
> > left with one or the other, but not both. Or,
> > you could use 1.2.26 (or simply comment out the
> > appropriate section from 1.2.27 code). However,
> > it's not clear whether this opens up a security hole.
> > I've searched the mailing list archive, the FAQ, and
> > the newsgroup comp.security.ssh archive... no luck.
> >
> > Perhaps if ssh is suid root and you set an environment
> > variable for a kerberos thingy (credential cache file?),
> > you can use someone elses credentials to get authenticated?
> >
> > It seems that judicious use of setuid might allow a secure
> > way to enable either .shosts or kerberos authentication,
> > using the same suid root binary.
> >
> > As a kludge, two separate binaries could be installed, where
> > the only difference was the suid bit on one, but a more elegant
> > solution would be preferable.
>
> ------------------------------------------------------------------------
> E-Mail: Carl J. Nobile <[EMAIL PROTECTED]>
> Date: 18-Feb-00 Phone: 315-453-2912 Ex. 5336
> Time: 16:33:32 Fax: 315-453-3052
>
> Software Engineering Group -- AppliedTheory Corp.
> 224 Harrison Street, 6th Floor, Syracuse, NY 13202
> ------------------------------------------------------------------------
>
