On Tue, 28 Mar 2000, Tatu Ylonen wrote:
> Please note that there have been serious security problems in SSH1
> (and OpenSSH) kerberos support. I'm not fully up to date on whether
> they have been fixed.
you mean, Kerberos v5 support, which only exists in SSH1 (NOT OpenSSH).
the exploit for ssh1 was trivial - point the KRB5CCNAME environment
variable to someone else's ticket file, and the setuid root ssh1 would
happily use those credentials for authentication.
OpenSSH does not suffer this problem, as it uses the KTH Kerberos v4
implementation, which has simple checks for setuid root programs opening
arbitrary ticket files. to my knowledge, MIT's Kerberos v5 implementation
still does not, which is why ssh1 Kerberos v5 support is still broken.
-d.
---
http://www.monkey.org/~dugsong/
