Date: Thu, 12 Jan 1995 20:25:06 +0100 (MET) From: guido@gvr.win.tue.nl (Guido van Rooij) To: mark@grondar.za (Mark Murray) Cc: hackers@FreeBSD.org, wietse@gvr.win.tue.nl (Wietse Venema) Subject: Re: S/Key - What gives? Message-ID: <199501121925.UAA07509@gvr.win.tue.nl> In-Reply-To: <199501111712.TAA27382@grunt.grondar.za> from "Mark Murray" at Jan 11, 95 07:12:28 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray wrote: > > 2) If we are trying (and succeeding) to avoid giving away usernames > (like not allowing fingerd the freedom it traditionally has), then > maybe we should look at this: > > a) logging in as a legitimate user with s/key enabled gives the usual > > login: <existing name> > s/key <seq #> <key #> > password: <password> > > User is in. > > b) Joe Cracker comes along and wants to see if account "bloggs" exists: > > login: bloggs > password: secret > login incorrect. > > But the absence of the s/key bit already told him he's barking up the > wrong tree. Maybe a random number should be thrown in as a confuser? > Goo idea. Forwarded to Wietse Venema as well. -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199501121925.UAA07509>