OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: S/Key & OPIE Database Vulnerability

Re: S/Key & OPIE Database Vulnerability

Subject: Re: S/Key & OPIE Database Vulnerability
From: Eivind Eklund (eivindFREEBSD.ORG)
Date: Thu Jan 27 2000 - 04:36:39 CST

On Wed, Jan 26, 2000 at 11:53:05AM -0800, Steve VanDevender wrote:
> Ultimately I wonder how much of a future S/Key has now that SSH and
> similar utilities are widely deployed and provide much more
> sophisticated protections, especially session encryption.

S/key is still useful, even when you do use SSH. By using S/Key, you
can avoid replay attacks if somebody compromise a workstation or
temporarily compromise the server (ie, you are secure after reinstall
and moving skeykeys over.)

You don't get the same effect by using ssh RSA authentication, partly
you either have
(1) Users that key in the passphrase each time they connect to the
    server
OR
(2) Agent forwarding, which means that if any computer they have an
    account on is compromised, so is your box. Without any logging in
    their end. Without any *possibility* of proper logging in their
    end, as the authentication challenges do not themselves contain
    any authentication.
OR
(3) Extremely clued users, who either remember to type -a on all ssh
    connections, don't have agent forwarding at all (disabled for the
    machine), or has patched ssh to add the -A keyword (now default
    included in Debian, and possibly in OpenSSH)

Eivind.

This archive was generated by hypermail 2b27 : Thu Jan 27 2000 - 14:13:14 CST