Date: Wed, 11 Jan 1995 19:12:28 +0200 From: Mark Murray <mark@grondar.za> To: hackers@FreeBSD.org Subject: S/Key - What gives? Message-ID: <199501111712.TAA27382@grunt.grondar.za>
next in thread | raw e-mail | index | archive | help
Hi
1) I thought I saw a bug fix for this a week or four ago...
Connected to localhost.
Escape character is '^]'.
FreeBSD (grunt.grondar.za) (ttyp2)
login: mark
s/key 98 243498f554858c28 <--- This is supposed to be like 'gr3465'???
2) If we are trying (and succeeding) to avoid giving away usernames
(like not allowing fingerd the freedom it traditionally has), then
maybe we should look at this:
a) logging in as a legitimate user with s/key enabled gives the usual
login: <existing name>
s/key <seq #> <key #>
password: <password>
User is in.
b) Joe Cracker comes along and wants to see if account "bloggs" exists:
login: bloggs
password: secret
login incorrect.
But the absence of the s/key bit already told him he's barking up the
wrong tree. Maybe a random number should be thrown in as a confuser?
--
Mark Murray
46 Harvey Rd, Claremont, Cape Town 7700, South Africa
+27 21 61-3768 GMT+0200
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199501111712.TAA27382>