Bugtraq mailing list archives
Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability)
From: woods () MOST WEIRD COM (Greg A. Woods)
Date: Tue, 1 Feb 2000 10:41:06 -0500
[ On Tuesday, February 1, 2000 at 02:17:42 (+0300), -=ArkanoiD=- wrote: ]
Subject: Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability) I've seen several s/key (opie, whatever you call it) implementations and all of them used some combination of hostname and pseudo-random number as authomatically generated seed. What systems have the problem you described?
Further analysis of the current implementation of S/Key in NetBSD and dredging of my memory suggests that whomever installed S/Key at the sites I referred to did so by first building and testing with the root account on one machine (and perhaps others) and then making a binary package including the /etc/skeykeys file and installing it on all other machines (since the sites in question were running Solaris-2.5 the practice at those sites was to build on a development machine and then deploy binary packages on all the other machines without compilers). Because of the algorithms used to create a "new" seed the result would be continued use of the same seed on all systems. I.e. basically it was a documentation bug that in concert with a latent implementation bug in the seed re-generation that resulted in a serious deployment error. The fact that this happened more than once to un-related sites suggests that it could be a common problem. In theory anyone who knows what I now know about the dangers of using the same secret and the same seed on multiple systems could easily discover and fix the problem. Whether it would be fixed in practice is a separate question!:-) This would also suggest there are dangers in trying to improve the security of your systems by installing binary packages when those packages were instead designed (either implicitly or explicitly) to be installed from source. There are probably a couple of papers here for anyone with the time to do some deeper research and write them up! :-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability) -=ArkanoiD=- (Jan 31)
- Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability) Greg A. Woods (Feb 01)
- SARA Security Auditor -- a new tool Security (Feb 01)
- Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability) Greg A. Woods (Feb 01)