Bugtraq mailing list archives
Re: S/Key & OPIE Database Vulnerability
From: merlin () SCL CWRU EDU (Brandon Palmer)
Date: Thu, 27 Jan 2000 09:40:35 -0500
Initially I thought this meant removing the seed entirely from S/Key. Mudge clarified this to me by explaining that what he meant was removing the routine presentation of the seed in the login challenge, but continuing to use it internally. It would still be necessary to present a new seed in the process of renewing one's S/Key sequence, so while the seed is still exposed, the amount of repeat exposure would be significantly reduced. This is at least quite a bit better than what I thought he meant before.
There are some pros and cons to removing the seed. Consider if we were to remove it. In this case, we would need to be there when we renew the keys. The renewing process would then tell us what our seed is and we could record this. (in a palm pilot, for example). The danger in this is if we lose the key. I presume you could have a function that would tell you, but if you are not on the machine, that won't work. I am in favor of the more secure option, but it may not fit the needs of all.
Ultimately I wonder how much of a future S/Key has now that SSH and similar utilities are widely deployed and provide much more sophisticated protections, especially session encryption.
I think there is definatly still a need. There are many cases in which I am not on a machine what has ssh (ie some public telnet shell). Though the session is not encrypted, my password is still safe. Until ssh-java shells are common, s/key still has it's place. - merlin SCL Manager, CWRU b () scl cwru edu 216.368.5066 pgp key: clabs.cwru.edu/b.pgp
Current thread:
- Re: S/Key & OPIE Database Vulnerability, (continued)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Stream.c needs more clarification Vanja Hrustic (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 26)
- Future of s/key (Re: S/Key & OPIE Database Vulnerability) Frasnelli, Dan (Jan 26)
- Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 28)
- "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Jan 29)
- Re: S/Key & OPIE Database Vulnerability Brandon Palmer (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 28)
- Multicast from hell John Watkins (Jan 27)
- Cobalt RaQ2 - a user of mine changed my admin password.. Chuck Pitre - Technical Support (Jan 27)
- Re: Cobalt RaQ2 - and QUBE2 Nir Simionovich (Rin Solo) (Jan 29)
- Tempfile vulnerabilities foo (Jan 30)
- [FreeBSD Security Advisory: FreeBSD-SA-00:02.procfs] Patrick Oonk (Jan 28)
- Re: Multicast from hell Omachonu Ogali (Jan 28)
- FTPPro has weird features - Fwd: Important matter for your abuse department Cedric Amand (Jan 28)
- New SCO patches... Aaron Sigel (Jan 27)
- Qpopper security bug Zhodiac (Jan 26)