Subject: bin/2768: s/key and login
To: None <gnats-bugs@gnats.netbsd.org>
From: None <daw@panix.com>
List: netbsd-bugs
Date: 09/18/1996 14:29:25 
>Number:         2768
>Category:       bin
>Synopsis:       /usr/bin/login leaks info if skey compiled in.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Sep 18 11:50:02 1996
>Last-Modified:
>Originator:     Nathaniel D. Daw
>Organization:
Piermont Information Systems
>Release:        NetBSD 1.2beta 8/96
>Environment:
System: NetBSD daw.dialup.access.net 1.2_BETA NetBSD 1.2_BETA (NAT2) #21: Fri Aug 2 10:04:22 EDT 1996 nat@dialup227.cc.columbia.edu:/usr/src/sys/arch/i386/compile/NAT2 i386


>Description:
	The s/key features in /usr/bin/login if compiled with -DSKEY
	allow any stranger off the net to determine if any given
	username corresponds to an account on the system. For a number
	of reasons, this may be more information than some sites want
	to disclose.

>How-To-Repeat:
	There are three categories of user names handled by login:
	those which have accounts with skey passwords, those which
	have accounts without skey passwords, and those which don't
	have accounts.

	All three of these categories can be distinguished for a given
	username simply by specifying the password "s/key" to login
	for that username. In the first case, you will receive a
	challenge like:

	[s/key 98 nat.40285]
	Response: 

	In the second you will receive the message:

	You have no s/key. Login incorrect

	And in the third you will receive only the message:

	Login incorrect

	Thus anyone can always distinguish between accounts and
	nonaccounts.

>Fix:
	A simple, immediate patch is to delete the line

                        fprintf(stderr, "You have no s/key. ");

	from src/usr.bin/login/login.c. Then there is no way for
	outsiders to distinguish between an account which doesn't
	exist and an account which exists but has no s/key.

	Strangers can still distinguish between accounts with skeys
	and other accounts; to fix this requires issuing fake s/key
	challenges. Code for this is in the OPIE distribution.
>Audit-Trail:
>Unformatted: