From owner-freebsd-hackers Wed Jan 11 09:13:06 1995 Return-Path: hackers-owner Received: (from root@localhost) by freefall.cdrom.com (8.6.9/8.6.6) id JAA05205 for hackers-outgoing; Wed, 11 Jan 1995 09:13:06 -0800 Received: from grunt.grondar.za (grunt.grondar.za [196.7.18.129]) by freefall.cdrom.com (8.6.9/8.6.6) with ESMTP id JAA04947 for ; Wed, 11 Jan 1995 09:12:46 -0800 Received: from localhost (localhost [127.0.0.1]) by grunt.grondar.za (8.6.9/8.6.9) with SMTP id TAA27382 for ; Wed, 11 Jan 1995 19:12:29 +0200 Message-Id: <199501111712.TAA27382@grunt.grondar.za> X-Authentication-Warning: grunt.grondar.za: Host localhost didn't use HELO protocol To: hackers@FreeBSD.org Subject: S/Key - What gives? Date: Wed, 11 Jan 1995 19:12:28 +0200 From: Mark Murray Sender: hackers-owner@FreeBSD.org Precedence: bulk Hi 1) I thought I saw a bug fix for this a week or four ago... Connected to localhost. Escape character is '^]'. FreeBSD (grunt.grondar.za) (ttyp2) login: mark s/key 98 243498f554858c28 <--- This is supposed to be like 'gr3465'??? 2) If we are trying (and succeeding) to avoid giving away usernames (like not allowing fingerd the freedom it traditionally has), then maybe we should look at this: a) logging in as a legitimate user with s/key enabled gives the usual login: s/key password: User is in. b) Joe Cracker comes along and wants to see if account "bloggs" exists: login: bloggs password: secret login incorrect. But the absence of the s/key bit already told him he's barking up the wrong tree. Maybe a random number should be thrown in as a confuser? -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200