From owner-freebsd-security Thu Oct 31 17: 0: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64F2037B401 for ; Thu, 31 Oct 2002 17:00:00 -0800 (PST) Received: from Thanatos.Shenton.Org (chris.shenton.org [209.31.144.77]) by mx1.FreeBSD.org (Postfix) with SMTP id 297C543E6E for ; Thu, 31 Oct 2002 16:59:55 -0800 (PST) (envelope-from chris@Shenton.Org) Received: (qmail 19432 invoked by uid 1000); 1 Nov 2002 00:59:50 -0000 To: security@freebsd.org Subject: Telnet not offering SKey prompt despite keyinit, skeykeys, skey.access From: Chris Shenton Date: 31 Oct 2002 19:59:50 -0500 Message-ID: <87lm4ef6k9.fsf@thanatos.shenton.org> Lines: 64 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I want to skey my telnet daemon (as I've done on other FreeBSD systems in the past) but I can't get it to work on this system. I'm running: chris@beatnik_44% uname -a FreeBSD beatnik.shenton.org 4.7-RC2 FreeBSD 4.7-RC2 #0: Thu Sep 26 04:07:11 GMT 2002 root@freebsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC i386 I generate keys for myself: chris@beatnik_43% keyinit Adding chris: Reminder - Only use this method if you are directly connected. If you are using telnet or rlogin exit with no password and use keyinit -s. Enter secret password: Again secret password: ID chris s/key is 99 be97113 YALE NEIL EVEN OTT PRY FAIR I check that the skeykeys file is created and make sure skey is allowed (in fact, required from everywhere) in /etc/skey.access: beatnik# ls -l /etc/skey* -rw-r--r-- 1 root wheel 98 Oct 31 20:48 /etc/skey.access -rw------- 1 root wheel 67 Oct 31 20:45 /etc/skeykeys beatnik# cat /etc/skey.access # why can't I get skey or opie to run on telnet? deny internet 192.168.255.0 255.255.255.0 deny # beatnik# cat /etc/skeykeys chris 0099 be97113 fe9861f0982352fa Oct 31,2002 20:45:27 Looks OK, but when I try to telnet, it doesn't offer the skey prompt, just the normal reusable UNIX password: chris@thanatos(260> telnet beatnik Trying 192.168.255.183... Connected to beatnik.shenton.org. Escape character is '^]'. Trying SRA secure login: User (chris): chris Password: [ SRA accepts you ] When I ssh to it, it does offer me the skey prompt, but (unless I'm really fat-fingered) doesn't seem to recognize the phrase I generate on the local box, then reverts to normal password auth: chris@thanatos(264> ssh beatnik s/key 98 be97113 Password: Permission denied, please try again. s/key 98 be97113 Password: Permission denied, please try again. s/key 97 be97113 Password: chris@beatnik.shenton.org's password: Any ideas what I'm missing? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message