Date: Fri, 7 Jun 1996 21:26:41 +0200 (MET DST) From: Ollivier Robert <roberto@keltia.freenix.fr> To: ewb@zns.net (Will Brown) Cc: pst@shockwave.com, freebsd-security@freebsd.org Subject: Re: s/key and OTP [was: MD5 Crack code] Message-ID: <199606071926.VAA18214@keltia.freenix.fr> In-Reply-To: <199606071404.KAA02891@selway.i.com> from Will Brown at "Jun 7, 96 10:04:52 am"
next in thread | previous in thread | raw e-mail | index | archive | help
It seems that Will Brown said: > IF s/key is approaching "defacto standardization" then that process > should be allowed to continue and OTP should go away. IMHO it is more > important that a standard be established and rolled into the *many* AFAIK S/Key -- the one from Bellcore -- is dead. Some guys in the US Navy have taken over it and now release OPIE (look on ftp.nrl.navy.mil). It is the same as S/Key although there are more features (see below) It conforms to the OTP defined by the IETF and is compatible with S/Key in MD4 mode. 6 May 1996 169.3 Ko /sources/security/passwd/opie-2.21.tar.gz Here is an extract from the README: OPIE Software Distribution, Release 2.21 Important Information ======================================== ===================== Introduction ============ "One-time Passwords In Everything" (OPIE) is a freely distributable software package originally developed at and for the US Naval Research Laboratory (NRL). Recent versions are the result of a cooperative effort between of NRL, several of the original NRL authors, The Inner Net, and many other contributors from the Internet community. OPIE is an implementation of the One-Time Password (OTP) System that is being considered for the Internet standards-track. OPIE provides a one-time password system. The system should be secure against the passive attacks now commonplace on the Internet (see RFC 1704 for more details). The system is vulnerable to active dictionary attacks, though these are not widespread at present and can be detected through proper use of system audit software. OPIE is primarily written for UNIX-like operating systems, but we are working to make applicable portions portable to other operating systems. The OPIE software is derived in part from and is fully interoperable with the Bell Communications Research (Bellcore) S/Key Release 1 software. Because Bellcore claims "S/Key" as a trademark for their software, NRL was forced to use a different name (we picked "OPIE") for this software distribution. OPIE includes the following additions/modifications to the original Bellcore S/Key(tm) Version 1 software: * Just about one-command installation for many common platforms. While we still recommend that you follow instructions and test things by hand, the more adventurous can install OPIE quickly. * A modified BSD FTP daemon that does OPIE. The small and simple BSD ftpd(8) was deliberately chosen over the wuarchive ftpd(8) because we didn't have the time needed to convince ourselves that the wuarchive ftpd(8) didn't have any security holes lurking in its many extra features. * By default, the "su" binary always gives you an OPIE challenge, even on the console. This was a hole for rlogin/telnet sessions in the original S/Key software. * MD5 support. MD5 is now the default algorithm, though MD4 is still supported by changing a parameter in the Makefile. This change was made because MD5 is widely believed to be cryptographically stronger than MD4 (see RFC 1321). * A more portable version of MD4 has been substituted for the original MD4. This should solve many of the endian problems. * Most of the system-dependencies have been moved to a new file "opie_cfg.h". * Configuration options have been moved to the Makefile. * Isolated system dependencies (e.g. BSDisms) with appropriate #ifdefs. * Revised the opiekey(1) program to simultaneously support MD4 and MD5, with the default algorithm being tunable using the MDX symbol in the Makefile. * More operating systems are supported by recent versions of OPIE, but older BSD systems that aren't close to being compliant with the POSIX standard are no longer supported. * Transition mechanisms are optional to prevent potential back doors. * On systems using the /etc/opieaccess transition mechanism, users can choose to require the use of OPIE to login to their accounts when it would otherwise be optional. * Bug fixes * Cosmetic changes * Prompts (optionally) identify specifically what kind of entry (system password, secret pass phrase, or OTP response) is allowed. * Changes to mostly conform with the draft Internet OTP standard. * Optional autoconf support -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #7: Thu Jun 6 20:43:22 MET DST 1996
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606071926.VAA18214>