Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I'm reading up on how kerberos functions, and I wonder: isn't using kerberos for SSH *less* secure than the default? With kerberos, when a client tries to authenticate for SSH, it has to decrypt a ticket from the KDC with the client password *locally*-- therefore, an attacker can launch offline brute force attacks against user passwords. Compare this to the default SSH password authentication, where only online-attacks work (right?) and therefore its painfully obvious when someone's trying to crack into a server. and with SSH-keypairs, neither online for offline are possible.
Is this correct? If so, why would anyone use kerberos for ssh authentication?
What you're not thinking about is how Kerberos works. The 'ticket' that a Kerberos Key Distribution Centre (KDC) gives to the user logging in has nothing to do with the user password.
Say I log in using my username and password. The client machine I'm using, has a ticket that it already received from the KDC as a member of the Kerberos realm. My user credentials are encrypted by the client, using a shared key, and passed to the KDC, which decrypts the credentials, and either grants or does not grant a ticket to the user.
I'm being simplistic, but that is the nuts and bolts of it. At no point does the 'attacker' have the user name and password to 'break' if you get me.
Last edited by irishbitte; 11-24-2009 at 10:11 PM.
Say I log in using my username and password. The client machine I'm using, has a ticket that it already received from the KDC as a member of the Kerberos realm. My user credentials are encrypted by the client, using a shared key, and passed to the KDC, which decrypts the credentials, and either grants or does not grant a ticket to the user.
Now I'm more confused-- I was thinking in terms of remote login where the client computer is unknown, but now I recall that in windows AD, client machines are 'joined' into a domain before the user can log in. (sorry for citing windows in a linux forum but AD is my only exposure to kerberos).
On windows, when you 'join' a computer to a domain, you're prompted for the domain admin username/password. What does that correspond to in the diagram in the following page? (I'm guessing AS_REQ/AS_REP?) And from your example above, I'm guessing the act of client sending user credentials to the KDC is the TGS_REQ/TGS_REP?
Well, AD is not a great example in one sense, since it is unlikely that anyone would be accessing a machine in an AD domain using SSH in the first place. SSH is definitely a linux based tech!
However, AD is without doubt the most permeating example of a Kerberos type system. It is, however, MS's Kerberos system.
Quote:
On windows, when you 'join' a computer to a domain, you're prompted for the domain admin username/password.
In my mind, this would correspond to more than a single request. Firstly, there would be an Auth req, and once that had completed, there would be a TGS_req, since the machine being joined would require a ticket in it's own right!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
