t.rules/FORGED_MUA_OUTLOOK/fp-bug5919-1 - spamassassin - Git at Google

 Return-Path: <kerberos-bounces@mit.edu>
 X-Spam-Flag: YES
 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on fnord.ir.bbn.com
 X-Spam-Level: *
 X-Spam-Status: Yes, score=1.5 required=1.0 tests=AWL,BAYES_00,
 	FORGED_MUA_OUTLOOK autolearn=no version=3.1.7
 X-Spam-Report:
 	* -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
 	*      [score: 0.0000]
 	*  4.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
 	*  0.0 AWL AWL: From: address is in the auto white-list
 X-Original-To: gdt@ir.bbn.com
 Delivered-To: gdt@ir.bbn.com
 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
 	by fnord.ir.bbn.com (Postfix) with ESMTP id 7BF955289
 	for <gdt@ir.bbn.com>; Thu, 31 May 2007 22:58:24 -0400 (EDT)
 Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
 	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l512p83e016021;
 	Thu, 31 May 2007 22:51:13 -0400
 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
 	[18.7.7.76])
 	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l512p6wJ016018
 	for <kerberos@PCH.mit.edu>; Thu, 31 May 2007 22:51:06 -0400
 Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114])
 	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
 	l512p3up028645
 	for <kerberos@mit.edu>; Thu, 31 May 2007 22:51:04 -0400 (EDT)
 Received: from smtp106.sbc.mail.re2.yahoo.com (smtp106.sbc.mail.re2.yahoo.com
 	[68.142.229.99]) by mit.edu (Spam Firewall) with SMTP id 9CCD95F4294
 	for <kerberos@mit.edu>; Thu, 31 May 2007 22:51:03 -0400 (EDT)
 Received: (qmail 70635 invoked from network); 1 Jun 2007 02:51:03 -0000
 Received: from unknown (HELO CDCHOME) (chrisclausen@sbcglobal.net@76.199.3.163
 	with login)
 	by smtp106.sbc.mail.re2.yahoo.com with SMTP; 1 Jun 2007 02:51:03 -0000
 X-YMail-OSG: eYUkWSMVM1nnl.I9AnuqtOSMg4YD5A.qrPW4QhV0fgw221IdC8nQ5qvp7wst92meohNFSYt_oC8fZ522R6UeMjky3pcFmrSs1.dybQ0ChRPNDnihx5jCjS2vG1ZxACSXxIyqsjOHO61r3Ss-
 Message-Id: <746308829575E17C3331BBCB00C0898B@UserName>
 From: "Christopher D. Clausen" <cclausen@acm.org>
 To: <kerberos@mit.edu>
 References: <x3vee8zahx.fsf@nowhere.com>
 Subject: Re: Use ssh key to acquire TGT?
 Date: Thu, 31 May 2007 21:51:02 -0500
 X-Priority: 3
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2900.5512
 X-RFC2646: Format=Flowed; Original
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3959
 X-Scanned-By: MIMEDefang 2.42
 X-BeenThere: kerberos@mit.edu
 X-Mailman-Version: 2.1.6
 Precedence: list
 List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
 List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
 	<mailto:kerberos-request@mit.edu?subject=unsubscribe>
 List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
 List-Post: <mailto:kerberos@mit.edu>
 List-Help: <mailto:kerberos-request@mit.edu?subject=help>
 List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
 	<mailto:kerberos-request@mit.edu?subject=subscribe>
 MIME-Version: 1.0
 Content-Type: text/plain; charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 Sender: kerberos-bounces@mit.edu
 Errors-To: kerberos-bounces@mit.edu
 X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-3.0 (fnord.ir.bbn.com [0.0.0.0]); Thu, 31 May 2007 22:58:24 -0400 (EDT)

 Adam Megacz <megacz@hcoop.net> wrote:
 > Our (hcoop.net) users love their new AFS homedirs, but are complaining
 > a lot about ssh public keys not working the way they're accustomed to.
 > Telling them to "kinit" after logging in doesn't quite cut it either.
 >
 > We're aware that this goes against the grain of kerberos security, but
 > without something like this users will just start hardcoding their
 > plaintext password into scripts, which is even worse.  At least with
 > ssh keys we can urge them to password-encrypt their on-disk private
 > keys.

 How exactly is having a private key password different from simply
 telling the user to kinit ONCE on their local machine before attempting
 to SSH to your Kerberized machines?

 Also, you could rig up a login script (or PAM) that used a local keytab
 file to obtain AFS tickets automatically at sucessful login.  Not sure
 if you'd have to assume that someone logging as the local UNIX user
 automatically means that user would have to the matching AFS identity.
 You would also have issues of users keeping their passwords and the
 keytabs up to date or otherwise differentiating between the keytab login
 and their real Kerberos identity.

 This might be question to ask on the AFS mailing lists instead of the
 Kerberos ones.

 <<CDC


 ________________________________________________
 Kerberos mailing list           Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos
	Return-Path: <kerberos-bounces@mit.edu>
	X-Spam-Flag: YES
	X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on fnord.ir.bbn.com
	X-Spam-Level: *
	X-Spam-Status: Yes, score=1.5 required=1.0 tests=AWL,BAYES_00,
	FORGED_MUA_OUTLOOK autolearn=no version=3.1.7
	X-Spam-Report:
	* -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
	* [score: 0.0000]
	* 4.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
	* 0.0 AWL AWL: From: address is in the auto white-list
	X-Original-To: gdt@ir.bbn.com
	Delivered-To: gdt@ir.bbn.com
	Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by fnord.ir.bbn.com (Postfix) with ESMTP id 7BF955289
	for <gdt@ir.bbn.com>; Thu, 31 May 2007 22:58:24 -0400 (EDT)
	Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l512p83e016021;
	Thu, 31 May 2007 22:51:13 -0400
	Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l512p6wJ016018
	for <kerberos@PCH.mit.edu>; Thu, 31 May 2007 22:51:06 -0400
	Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	l512p3up028645
	for <kerberos@mit.edu>; Thu, 31 May 2007 22:51:04 -0400 (EDT)
	Received: from smtp106.sbc.mail.re2.yahoo.com (smtp106.sbc.mail.re2.yahoo.com
	[68.142.229.99]) by mit.edu (Spam Firewall) with SMTP id 9CCD95F4294
	for <kerberos@mit.edu>; Thu, 31 May 2007 22:51:03 -0400 (EDT)
	Received: (qmail 70635 invoked from network); 1 Jun 2007 02:51:03 -0000
	Received: from unknown (HELO CDCHOME) (chrisclausen@sbcglobal.net@76.199.3.163
	with login)
	by smtp106.sbc.mail.re2.yahoo.com with SMTP; 1 Jun 2007 02:51:03 -0000
	X-YMail-OSG: eYUkWSMVM1nnl.I9AnuqtOSMg4YD5A.qrPW4QhV0fgw221IdC8nQ5qvp7wst92meohNFSYt_oC8fZ522R6UeMjky3pcFmrSs1.dybQ0ChRPNDnihx5jCjS2vG1ZxACSXxIyqsjOHO61r3Ss-
	Message-Id: <746308829575E17C3331BBCB00C0898B@UserName>
	From: "Christopher D. Clausen" <cclausen@acm.org>
	To: <kerberos@mit.edu>
	References: <x3vee8zahx.fsf@nowhere.com>
	Subject: Re: Use ssh key to acquire TGT?
	Date: Thu, 31 May 2007 21:51:02 -0500
	X-Priority: 3
	X-MSMail-Priority: Normal
	X-Mailer: Microsoft Outlook Express 6.00.2900.5512
	X-RFC2646: Format=Flowed; Original
	X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3959
	X-Scanned-By: MIMEDefang 2.42
	X-BeenThere: kerberos@mit.edu
	X-Mailman-Version: 2.1.6
	Precedence: list
	List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
	List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request@mit.edu?subject=unsubscribe>
	List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
	List-Post: <mailto:kerberos@mit.edu>
	List-Help: <mailto:kerberos-request@mit.edu?subject=help>
	List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request@mit.edu?subject=subscribe>
	MIME-Version: 1.0
	Content-Type: text/plain; charset="us-ascii"
	Content-Transfer-Encoding: 7bit
	Sender: kerberos-bounces@mit.edu
	Errors-To: kerberos-bounces@mit.edu
	X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-3.0 (fnord.ir.bbn.com [0.0.0.0]); Thu, 31 May 2007 22:58:24 -0400 (EDT)

	Adam Megacz <megacz@hcoop.net> wrote:
	> Our (hcoop.net) users love their new AFS homedirs, but are complaining
	> a lot about ssh public keys not working the way they're accustomed to.
	> Telling them to "kinit" after logging in doesn't quite cut it either.
	>
	> We're aware that this goes against the grain of kerberos security, but
	> without something like this users will just start hardcoding their
	> plaintext password into scripts, which is even worse. At least with
	> ssh keys we can urge them to password-encrypt their on-disk private
	> keys.

	How exactly is having a private key password different from simply
	telling the user to kinit ONCE on their local machine before attempting
	to SSH to your Kerberized machines?

	Also, you could rig up a login script (or PAM) that used a local keytab
	file to obtain AFS tickets automatically at sucessful login. Not sure
	if you'd have to assume that someone logging as the local UNIX user
	automatically means that user would have to the matching AFS identity.
	You would also have issues of users keeping their passwords and the
	keytabs up to date or otherwise differentiating between the keytab login
	and their real Kerberos identity.

	This might be question to ask on the AFS mailing lists instead of the
	Kerberos ones.

	<<CDC


	________________________________________________
	Kerberos mailing list Kerberos@mit.edu
	https://mailman.mit.edu/mailman/listinfo/kerberos