Bugtraq mailing list archives

Future of s/key (Re: S/Key & OPIE Database Vulnerability)

From: dfrasnel () ALPHALINUX ORG (Frasnelli, Dan)
Date: Wed, 26 Jan 2000 21:59:35 -0800

Ultimately I wonder how much of a future S/Key has now that SSH and
similar utilities are widely deployed and provide much more
sophisticated protections, especially session encryption.


Discussing how one could displace the other is not logical -
ssh and s/key address two distinct security challenges.
ssh by itself provides advanced confidentiality and basic
authentication; s/key by itself provides advanced authentication
and no confidentiality.  Suggesting ssh may replace s/key is
like saying "telnet might replace /bin/login".

The future of s/key is probably what it always has been: an otp
supplement to the basic Un*x password authentication, regardless
of what the access method (ssh, rsh, serial terminal) is.
Some sites I have worked with implement both:
- enforced rsa authentication for remote access via ssh
- s/key authentication for privileged account access.

No security technology or procedure is ultimately secure; it's just
a matter of time before l0pht cracks it.

Regards,

--
Dan Frasnelli
Security analyst

Current thread:

Re: S/Key & OPIE Database Vulnerability, (continued)
- - - Re: S/Key & OPIE Database Vulnerability David Maxwell (Jan 23)
    - S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 23)
    - Re: S/Key & OPIE Database Vulnerability Evil Pete (Jan 24)
    - Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
    - Stream.c needs more clarification Vanja Hrustic (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 26)
    - Future of s/key (Re: S/Key & OPIE Database Vulnerability) Frasnelli, Dan (Jan 26)
    - Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 27)
    - Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 27)
    - Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 28)
    - "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Jan 29)
    - Re: S/Key & OPIE Database Vulnerability Brandon Palmer (Jan 27)
    - Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 28)
    - Multicast from hell John Watkins (Jan 27)
    - Cobalt RaQ2 - a user of mine changed my admin password.. Chuck Pitre - Technical Support (Jan 27)
    - Re: Cobalt RaQ2 - and QUBE2 Nir Simionovich (Rin Solo) (Jan 29)
    - Tempfile vulnerabilities foo (Jan 30)

(Thread continues...)