OpenSSH & S/Key information leakage

[Joel Maslak <jmaslak () antelope net>]

FIRST: Neither of these information leakage issues is a security bug in
itself.  Both S/Key and OpenSSH are secure even with this issue.  However,
this information leakage may assist a hostile attacker.

General S/Key Information Leakage:

As is commonly known, the S/Key (and OPIE) one-time password system will
send the user a challenge string.  This string is provided after the
username is entered.  The string looks like:
        otp-md5 98 indi26401

This string will tell you several things:

1)  What hash algorithm is being used (in this case, md5).  Because some
hash algorithms are weaker then others, this will help an attacker
determine which accounts to attempt to attack.

2)  The "indi26401" is a "seed" value.  If this seed changes, then it is
clear that the user has changed the passphrase that S/Key uses to generate 
one time passwords.

3)  The "98" indicates that S/Key is expecting password #98.  By watching
this number, it is possible to determine a user's login frequency.  By
watching it at different times in the day, the user's habits can be
determined.  Note that in an S/Key enabled system, "su" also uses S/Key
passwords for root, which helps an attacker know when the system
administrators are maintaining the system (and when they are on
vacation...).

OpenSSH & S/Key Implementation Problems

There are some bad implementations of S/Key in client programs.  OpenSSH
(at least on OpenBSD 2.9) is one such bad implementation.  OpenSSH only
provides this challenge string if (1) the user exists and (2) the user is
using one-time-passwords.  Otherwise, it simply asks for a password (or
"hangs up" on the remote client if reusable passwords are not allowed).
Obviously, in an environment where one-time-passwords are required,
provides an easy way of finding out usernames.

FIXES:

- If S/Key passwords are used at all, "fake" challenge strings should be
printed whenever a real challenge string is not available.  OPIE does this
right.

- Unfortunately, much of the information leakage can not be helped.  It
would be trivial to prevent display of the hash algorithm used, but that
would provide very little security - the real threat is the sequence
number, as it lets an attacker profile a system.  The sequence number is
required as it is used when precomputed password lists are used.

- OpenSSH and other programs often monitor failed logins.  Reviewing your
logs will alert you to this type of activity.  However, once alerted, your
options are very limited - either disconnect your system from the network
or allow yourself to continue to be probed!  (you might block offenders'
IP addresses, but that will be difficult as offenders usually have a large
number of IPs to come from)

-- 
Joel Maslak