Subject: bin/2768: s/key and login
To: None <>
From: None <>
List: netbsd-bugs
Date: 09/18/1996 14:29:25
>Number:         2768
>Category:       bin
>Synopsis:       /usr/bin/login leaks info if skey compiled in.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Sep 18 11:50:02 1996
>Originator:     Nathaniel D. Daw
Piermont Information Systems
>Release:        NetBSD 1.2beta 8/96
System: NetBSD 1.2_BETA NetBSD 1.2_BETA (NAT2) #21: Fri Aug 2 10:04:22 EDT 1996 i386

	The s/key features in /usr/bin/login if compiled with -DSKEY
	allow any stranger off the net to determine if any given
	username corresponds to an account on the system. For a number
	of reasons, this may be more information than some sites want
	to disclose.

	There are three categories of user names handled by login:
	those which have accounts with skey passwords, those which
	have accounts without skey passwords, and those which don't
	have accounts.

	All three of these categories can be distinguished for a given
	username simply by specifying the password "s/key" to login
	for that username. In the first case, you will receive a
	challenge like:

	[s/key 98 nat.40285]

	In the second you will receive the message:

	You have no s/key. Login incorrect

	And in the third you will receive only the message:

	Login incorrect

	Thus anyone can always distinguish between accounts and

	A simple, immediate patch is to delete the line

                        fprintf(stderr, "You have no s/key. ");

	from src/usr.bin/login/login.c. Then there is no way for
	outsiders to distinguish between an account which doesn't
	exist and an account which exists but has no s/key.

	Strangers can still distinguish between accounts with skeys
	and other accounts; to fix this requires issuing fake s/key
	challenges. Code for this is in the OPIE distribution.