[13593] in bugtraq
Re: S/Key & OPIE Database Vulnerability
daemon@ATHENA.MIT.EDU (Eivind Eklund)
Thu Jan 27 15:28:34 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000127113639.E12425@bitbox.follo.net>
Date: Thu, 27 Jan 2000 11:36:39 +0100
Reply-To: Eivind Eklund <eivind@FREEBSD.ORG>
From: Eivind Eklund <eivind@FREEBSD.ORG>
X-To: Steve VanDevender <stevev@HEXADECIMAL.UOREGON.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <14479.20641.518835.315870@hexadecimal.uoregon.edu>; from
stevev@HEXADECIMAL.UOREGON.EDU on Wed, Jan 26,
2000 at 11:53:05AM -0800
On Wed, Jan 26, 2000 at 11:53:05AM -0800, Steve VanDevender wrote:
> Ultimately I wonder how much of a future S/Key has now that SSH and
> similar utilities are widely deployed and provide much more
> sophisticated protections, especially session encryption.
S/key is still useful, even when you do use SSH. By using S/Key, you
can avoid replay attacks if somebody compromise a workstation or
temporarily compromise the server (ie, you are secure after reinstall
and moving skeykeys over.)
You don't get the same effect by using ssh RSA authentication, partly
you either have
(1) Users that key in the passphrase each time they connect to the
server
OR
(2) Agent forwarding, which means that if any computer they have an
account on is compromised, so is your box. Without any logging in
their end. Without any *possibility* of proper logging in their
end, as the authentication challenges do not themselves contain
any authentication.
OR
(3) Extremely clued users, who either remember to type -a on all ssh
connections, don't have agent forwarding at all (disabled for the
machine), or has patched ssh to add the -A keyword (now default
included in Debian, and possibly in OpenSSH)
Eivind.
