Bugtraq mailing list archives
Re: S/Key & OPIE Database Vulnerability
From: eivind () FREEBSD ORG (Eivind Eklund)
Date: Thu, 27 Jan 2000 11:36:39 +0100
On Wed, Jan 26, 2000 at 11:53:05AM -0800, Steve VanDevender wrote:
Ultimately I wonder how much of a future S/Key has now that SSH and similar utilities are widely deployed and provide much more sophisticated protections, especially session encryption.
S/key is still useful, even when you do use SSH. By using S/Key, you can avoid replay attacks if somebody compromise a workstation or temporarily compromise the server (ie, you are secure after reinstall and moving skeykeys over.) You don't get the same effect by using ssh RSA authentication, partly you either have (1) Users that key in the passphrase each time they connect to the server OR (2) Agent forwarding, which means that if any computer they have an account on is compromised, so is your box. Without any logging in their end. Without any *possibility* of proper logging in their end, as the authentication challenges do not themselves contain any authentication. OR (3) Extremely clued users, who either remember to type -a on all ssh connections, don't have agent forwarding at all (disabled for the machine), or has patched ssh to add the -A keyword (now default included in Debian, and possibly in OpenSSH) Eivind.
Current thread:
- S/Key & OPIE Database Vulnerability, (continued)
- S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 23)
- Re: S/Key & OPIE Database Vulnerability Evil Pete (Jan 24)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Stream.c needs more clarification Vanja Hrustic (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 26)
- Future of s/key (Re: S/Key & OPIE Database Vulnerability) Frasnelli, Dan (Jan 26)
- Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 28)
- "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Jan 29)
- Re: S/Key & OPIE Database Vulnerability Brandon Palmer (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 28)
- Multicast from hell John Watkins (Jan 27)
- Cobalt RaQ2 - a user of mine changed my admin password.. Chuck Pitre - Technical Support (Jan 27)
- Re: Cobalt RaQ2 - and QUBE2 Nir Simionovich (Rin Solo) (Jan 29)
- Tempfile vulnerabilities foo (Jan 30)
- [FreeBSD Security Advisory: FreeBSD-SA-00:02.procfs] Patrick Oonk (Jan 28)