Bugtraq mailing list archives
Re: OpenSSH & S/Key information leakage
From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Sun, 18 Nov 2001 21:40:45 +0100 (MET)
On Thu, 15 Nov 2001, Alan J Rosenthal wrote:
A login prompt for a non-account looks like this: login: flomp otp-md5 175 at2078 ext Response: So far, so good. But press return once or twice to get "Login incorrect" (or make a new conection), and then do login: flomp otp-md5 220 at0624 ext Response: Either the user just set a new passphrase in this one-second interval, or "flomp" does not exist.
Seed the PRNG generating this fake challenge with the given username and nothing but the username (and perhaps some *static* secret data). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- OpenSSH & S/Key information leakage Joel Maslak (Nov 12)
- Re: OpenSSH & S/Key information leakage Markus Friedl (Nov 13)
- <Possible follow-ups>
- Re: OpenSSH & S/Key information leakage Alan J Rosenthal (Nov 15)
- Re: OpenSSH & S/Key information leakage Robert Bihlmeyer (Nov 19)
- Re: OpenSSH & S/Key information leakage Pavel Kankovsky (Nov 19)