From owner-freebsd-security Mon Jun 3 15:43:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA24209 for security-outgoing; Mon, 3 Jun 1996 15:43:04 -0700 (PDT) Received: from glitnir.cfar.UMD.EDU (glitnir.cfar.umd.edu [128.8.132.40]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA24195 for ; Mon, 3 Jun 1996 15:43:01 -0700 (PDT) Received: by glitnir.cfar.UMD.EDU (8.7.5/UMIACS-0.9/04-05-88) id SAA10718; Mon, 3 Jun 1996 18:42:57 -0400 (EDT) Message-Id: <199606032242.SAA10718@glitnir.cfar.UMD.EDU> To: "Mikael Karpberg" cc: freebsd-security@freebsd.org Subject: Re: MD5 Crack code In-reply-to: Your message of "Mon, 03 Jun 1996 16:35:08 +0200." <199606031435.QAA06701@sea.campus.luth.se> Date: Mon, 03 Jun 1996 18:42:56 -0400 From: He Who Urges Ampersands Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 03 Jun 1996 16:35:08 +0200, karpen@sea.campus.luth.se wrote: > > Personally I'd love to insist on Skey (or something like it). Seems to > > me that simply building clients (FTP, telnet, MUA's, etc.) that are > > "Skey aware" would go a long way. A separate Skey calculator is a > > level of "complexity" that many naive users seem to balk at. > > I'm not aware of how Skey works, I must say. Doesn't it require you to > remember one time passwords or something? Seems like a hassle. Please > feel free to correct me, since I'm surely a novice when it comes to that. :) No, you just have one password. The idea behind s/Key is to avoid having clear-text passwords transmitted over an insecure network. When you log in, the remote machine issues an s/Key challenge, which includes the "sequence number:" the remote machine keeps track of how many times you've successfully logged in. You then need to feed the s/Key challenge (including the sequence number) and your secret password to a local s/Key calculator. It then turns the whole thing into a one-time password, which you then give to the remote machine. Ordinarily, you need a local s/Key calculator handy, or else you need to print out a list of one-time passwords that you can carry around on you. Yes, this is something of a hassle. One hack that we use, which I'd like to include in FreeBSD's 'rlogin' and/or 'telnet', is that, if you type '~@', and the last N characters received from the remote end include an s/Key challenge, then the *local* 'rlogin' will prompt you for a password and run the s/Key calculator for you. In effect, instead of rlogin remotehost suspend key fg you only need to ~@ -- Andrew Arensburger, Systems guy Center for Automation Research arensb@cfar.umd.edu University of Maryland If this isn't war, why is CNN massing on the border?