LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-24-2009, 09:07 PM   #1
genmaicha
Member
 
Registered: Apr 2009
Posts: 38

Rep: Reputation: 15
ssh + kerberos... less secure?


I'm reading up on how kerberos functions, and I wonder: isn't using kerberos for SSH *less* secure than the default? With kerberos, when a client tries to authenticate for SSH, it has to decrypt a ticket from the KDC with the client password *locally*-- therefore, an attacker can launch offline brute force attacks against user passwords. Compare this to the default SSH password authentication, where only online-attacks work (right?) and therefore its painfully obvious when someone's trying to crack into a server. and with SSH-keypairs, neither online for offline are possible.

Is this correct? If so, why would anyone use kerberos for ssh authentication?
 
Old 11-24-2009, 10:09 PM   #2
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
What you're not thinking about is how Kerberos works. The 'ticket' that a Kerberos Key Distribution Centre (KDC) gives to the user logging in has nothing to do with the user password.

Say I log in using my username and password. The client machine I'm using, has a ticket that it already received from the KDC as a member of the Kerberos realm. My user credentials are encrypted by the client, using a shared key, and passed to the KDC, which decrypts the credentials, and either grants or does not grant a ticket to the user.

I'm being simplistic, but that is the nuts and bolts of it. At no point does the 'attacker' have the user name and password to 'break' if you get me.

Last edited by irishbitte; 11-24-2009 at 10:11 PM.
 
Old 11-24-2009, 11:22 PM   #3
genmaicha
Member
 
Registered: Apr 2009
Posts: 38

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by irishbitte View Post
Say I log in using my username and password. The client machine I'm using, has a ticket that it already received from the KDC as a member of the Kerberos realm. My user credentials are encrypted by the client, using a shared key, and passed to the KDC, which decrypts the credentials, and either grants or does not grant a ticket to the user.
Now I'm more confused-- I was thinking in terms of remote login where the client computer is unknown, but now I recall that in windows AD, client machines are 'joined' into a domain before the user can log in. (sorry for citing windows in a linux forum but AD is my only exposure to kerberos).

On windows, when you 'join' a computer to a domain, you're prompted for the domain admin username/password. What does that correspond to in the diagram in the following page? (I'm guessing AS_REQ/AS_REP?) And from your example above, I'm guessing the act of client sending user credentials to the KDC is the TGS_REQ/TGS_REP?

http://www.zeroshell.net/eng/kerbero...ros-operation/
 
Old 11-25-2009, 12:16 PM   #4
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
Well, AD is not a great example in one sense, since it is unlikely that anyone would be accessing a machine in an AD domain using SSH in the first place. SSH is definitely a linux based tech!

However, AD is without doubt the most permeating example of a Kerberos type system. It is, however, MS's Kerberos system.

Quote:
On windows, when you 'join' a computer to a domain, you're prompted for the domain admin username/password.
In my mind, this would correspond to more than a single request. Firstly, there would be an Auth req, and once that had completed, there would be a TGS_req, since the machine being joined would require a ticket in it's own right!

Read, read, read!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos and SSH ceph Linux - Server 0 08-03-2009 11:28 AM
SSH + PAM + Kerberos questions Akegata Linux - Security 9 06-13-2009 10:50 AM
Kerberos and SSH l0rddarkf0rce Linux - Server 0 10-26-2008 04:50 PM
SSH and Kerberos l0rddarkf0rce Ubuntu 0 10-26-2008 02:30 AM
LXer: University of Michigan Selects SSH Tectia for Secure System Administration and Secure File Transfers LXer Syndicated Linux News 0 04-25-2006 12:54 AM


All times are GMT -5. The time now is 01:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration