Date: Fri, 10 May 1996 16:27:58 GMT From: wietse@wzv.win.tue.nl (Wietse Venema) To: CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-lib@freefall.freebsd.org Cc: wietse@wzv.win.tue.nl Subject: Re: cvs commit: src/lib/libskey skeylogin.c Message-ID: <199605101627.QAA07329@wzv.win.tue.nl>
next in thread | raw e-mail | index | archive | help
This change seems to miss an important point: the file /etc/skeykeys contains the last S/Key password used. The primary reason for using S/Key is that passwords may be sniffed from the wire. When intruders can sniff the S/Key password from the wire, there is little point in keeping it in a secret file. If you're worried about dictionary attacks on one-time passwords, it is better to adopt a scheme that is based on pseudorandom numbers, such as SecureNet keys or other. Wietse > Modified: lib/libskey skeylogin.c > Log: > /etc/skeykeys was basically suffering from the same vulnerability > as any non-shadowed /etc/passwd. Ironically, all programs using S/Key > have already been setuid root except keyinfo(1). > > This modification creates /etc/skeykeys with mode 0600 to prevent it > from being examined by ordinary users. > > Revision Changes Path > 1.7 +3 -1 src/lib/libskey/skeylogin.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605101627.QAA07329>