Bugtraq mailing list archives

Re: S/Key & OPIE Database Vulnerability

From: eivind () YES NO (Eivind Eklund)
Date: Fri, 28 Jan 2000 12:23:10 +0100


On Thu, Jan 27, 2000 at 09:40:35AM -0500, Brandon Palmer wrote:

Ultimately I wonder how much of a future S/Key has now that SSH and
similar utilities are widely deployed and provide much more
sophisticated protections, especially session encryption.


I think there is definatly still a need.  There are many cases in which I
am not on a machine what has ssh (ie some public telnet shell).  Though
the session is not encrypted,  my password is still safe.  Until ssh-java
shells are common,  s/key still has it's place.


This indicates a rather common misconception.  SSH-Java shells should
NOT make a public terminal trusted for your password; the TERMINAL is
insecure, and is rather likely to be running a keystroke logger.  SSH
only makes the connection from the box it runs on to the box in the
other end secure.

Eivind.

Current thread:

Stream.c needs more clarification, (continued)
- - - Stream.c needs more clarification Vanja Hrustic (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
    - Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 26)
    - Future of s/key (Re: S/Key & OPIE Database Vulnerability) Frasnelli, Dan (Jan 26)
    - Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 27)
    - Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 27)
    - Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 28)
    - "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Jan 29)
    - Re: S/Key & OPIE Database Vulnerability Brandon Palmer (Jan 27)
    - Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 28)
    - Multicast from hell John Watkins (Jan 27)
    - Cobalt RaQ2 - a user of mine changed my admin password.. Chuck Pitre - Technical Support (Jan 27)
    - Re: Cobalt RaQ2 - and QUBE2 Nir Simionovich (Rin Solo) (Jan 29)
    - Tempfile vulnerabilities foo (Jan 30)
    - [FreeBSD Security Advisory: FreeBSD-SA-00:02.procfs] Patrick Oonk (Jan 28)
    - Re: Multicast from hell Omachonu Ogali (Jan 28)
    - FTPPro has weird features - Fwd: Important matter for your abuse department Cedric Amand (Jan 28)
    - New SCO patches... Aaron Sigel (Jan 27)
    - Qpopper security bug Zhodiac (Jan 26)
    - Re: S/Key & OPIE Database Vulnerability Dug Song (Jan 26)

(Thread continues...)