Thanks for the reply... Dennis Davis <[EMAIL PROTECTED]> writes:
>>From: Josh Huber <[EMAIL PROTECTED]> >>Newsgroups: gmane.comp.encryption.kerberos.general >>Subject: host/*@REALM tickets with ssh, DNS >>Reply-To: Josh Huber <[EMAIL PROTECTED]> >>Date: Fri, 09 Aug 2002 11:38:30 -0400 > > ... Hmm, I would have thought gmane would re-write those headers? (i.e. remove the Newsgroups header...) This is the first time I've actually posted through gmane, was there something wrong with it? (please reply privately about this...) If this is causing trouble, I'll just subscribe to the list. > Probably nothing wrong. I've often seen this with KerberosIV and > some KerberosV code contains comments that indicate that this will > happen. To quote: > > * Verify the Kerberos ticket-granting ticket just retrieved for the > * user. If the Kerberos server doesn't respond, assume the user is > * trying to fake us out (since we DID just get a TGT from what is > * supposedly our KDC). If the host/<host> service is unknown (i.e., > * the local keytab doesn't have it), return success but log the error. > > ... and I'm sure others will provide a better explanation. Hmm, for some reason this doesn't really help me at all. Perhaps I'm being dense. The main concern I had was based on the understanding that things work this way: 1) I prove my identity to the KDC and am issued a ticket. 2) The ssh daemon proves it's identity to the KDC using the stored keytab file (which I do NOT have permissions to), and is issued a ticket. 3) Each entity (myself and the sshd) can communicate with eachother securely, knowing that the KDC authenticated each member in the communication. Now, if I have a ticket for host/hostname@REALM, doesn't this mean that I could prove (wrongly) that I am that princiapl, or am I off base here? It just seems like I shouldn't be able to authenticate as that principal unless I know the key. (or have permissions to read the keytab file). Thanks again, -- Josh Huber ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
