Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: S/Key & OPIE Database Vulnerability

From: eivind () FREEBSD ORG (Eivind Eklund)
Date: Thu, 27 Jan 2000 11:36:39 +0100

On Wed, Jan 26, 2000 at 11:53:05AM -0800, Steve VanDevender wrote:

Ultimately I wonder how much of a future S/Key has now that SSH and
similar utilities are widely deployed and provide much more
sophisticated protections, especially session encryption.


S/key is still useful, even when you do use SSH.  By using S/Key, you
can avoid replay attacks if somebody compromise a workstation or
temporarily compromise the server (ie, you are secure after reinstall
and moving skeykeys over.)

You don't get the same effect by using ssh RSA authentication, partly
you either have
(1) Users that key in the passphrase each time they connect to the
    server
OR
(2) Agent forwarding, which means that if any computer they have an
    account on is compromised, so is your box.  Without any logging in
    their end.  Without any *possibility* of proper logging in their
    end, as the authentication challenges do not themselves contain
    any authentication.
OR
(3) Extremely clued users, who either remember to type -a on all ssh
    connections, don't have agent forwarding at all (disabled for the
    machine), or has patched ssh to add the -A keyword (now default
    included in Debian, and possibly in OpenSSH)

Eivind.
Previous By Date Next
Previous By Thread Next

Current thread: