paramiko

paramiko doesn't understand kerberos tickets

Bug #507391 reported by Alexander Kjäll
362
This bug affects 23 people
Affects Status Importance Assigned to Milestone
Fabric
New
Undecided
Unassigned
paramiko
New
Undecided
Unassigned

Bug Description

If i get a kerberos ticket from my KDC and try to log in to an openssh server that have the GSSAPIAuthentication option set to "yes, paramiko still asks for my password and sends it to the server.

This have somewhat bad security consequenses. If the machine that i try to log into is compromized, my password will risk being stolen.

As far as i can see from my strace output it doesn't even try to access my kerberos keycache.

Tags: kerberos
Alexander Kjäll (capitol)
visibility: private → public
Revision history for this message
Pedro Ferreira (pferreir) wrote :

I'd vote for GSSAPI support in paramiko, as there are already kerberos libraries available for Python.

Is there any chance we will see this implemented in the near future?

Revision history for this message
Erwin Richard (info-richardconsulting) wrote :

I'm looking to use fabric as a foundation of a deployment system. Kerberos support is a key feature, as we'd like to track information on all systems with personalized kerberized accounts.

Revision history for this message
Michael van der Kolff (mvanderkolff) wrote :

FWIW, Paramiko does support SSH key-based authentication. Are you sure you can't use SSH keys to accomplish your goal, capitol? That wouldn't expose any password, as only the public key is on the server... As it stands, unless you have insanely long TGT expiry times, I can't see how Kerberos could be used in anything but an interactive setting, unless you kept a local password stash - I don't know if that's any better. Of course, the private key is the same thing, but you can restrict what services it opens, and a password stash might contain a password you use elsewhere.

Revision history for this message
Alexander Kjäll (capitol) wrote :

I could of course setup ssh keys, but that's more of a workaround than a solution.

Kerberos can use a keytab in order to use it outside of a interactive setting, you can read more about it here: http://kb.iu.edu/data/aumh.html but that's somewhat outside the scope of this feature request.

Revision history for this message
Francois Chenais (francois-chenais) wrote :

+1

I would like to use fabric but I can't without gssapi/kerberos support :|
Hope it will be implemented soon !

great job !

Revision history for this message
Giulio Eulisse (eulisse) wrote :

+1

Revision history for this message
Jathan McCollum (jathan-gmail) wrote :

+1: Having GSSAPI support would be invaluable for me. I have an entirely integrated Kerberos environment with which I would like to replace a cluster of legacy bash scripts with Paramiko. Please consider implementing this!

Revision history for this message
Bryan Hughes (khan-l) wrote :

+1: Using fabric in a clunky and reduced manner due to lack of GSSAPI support in paramiko, please implement.

Revision history for this message
Nick Nikovich (nicknnn) wrote :

+1 please implement

Revision history for this message
Alex Wood (awood-j) wrote :

+1

Revision history for this message
Mikael Norgren (that1swede) wrote :

Adding my name to the hat. I would love to see GSSAPI support.

Revision history for this message
ChrisW (chris-simplistix) wrote :

Another +1 from me.

Revision history for this message
vincent garonne (vgaronne) wrote :

+1

Revision history for this message
Domingo Manubens (dmanubens) wrote :

+1

Revision history for this message
Simon (psillithid) wrote :

+1; I'd also love to see GSSAPI support.

Revision history for this message
Michael Komitee (mkomitee) wrote :

+1

Revision history for this message
efayol (eric.fayol) wrote :

+1

Revision history for this message
Leon Haverkotte (l-m-c-haverkotte) wrote :

+1

Revision history for this message
Jelmer Vernooij (jelmer) wrote :

Please use the "Affects me too" link on the bug report rather than posting +1's; that way not everybody subscribed to this bug gets spammed. Thanks.

Revision history for this message
Riskable (riskable) wrote :

I suspect that the use of the regular ol' 'kerberos' module is all that is necessary for this to work. It can implement standard GSSAPI authentication. Someone needs to try it out (if I had time...).

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.