Bugtraq mailing list archives
Re: OpenSSH & S/Key information leakage
From: Markus Friedl <markus () openbsd org>
Date: Tue, 13 Nov 2001 13:00:04 +0100
On Sun, Nov 11, 2001 at 06:29:38PM -0700, Joel Maslak wrote:
There are some bad implementations of S/Key in client programs. OpenSSH (at least on OpenBSD 2.9) is one such bad implementation. OpenSSH only provides this challenge string if (1) the user exists and (2) the user is using one-time-passwords.
This depends very much on the version of the OpenSSH and the versions of your skey library. OpenSSH switched away from creating fake skey challenges, and now depends on the skey/otp/bsdauth/whatever-library to created fake challenges. With BSD_AUTH it even depends on the authentication algorithms available in the default class. With a post-Nov 2000 OpenBSD, skeychallenge() creates fake challenges, so OpenSSH does not need to care.
Current thread:
- OpenSSH & S/Key information leakage Joel Maslak (Nov 12)
- Re: OpenSSH & S/Key information leakage Markus Friedl (Nov 13)
- <Possible follow-ups>
- Re: OpenSSH & S/Key information leakage Alan J Rosenthal (Nov 15)
- Re: OpenSSH & S/Key information leakage Robert Bihlmeyer (Nov 19)
- Re: OpenSSH & S/Key information leakage Pavel Kankovsky (Nov 19)