--- On Sat, 01 Nov 1997 23:16:09 EST  Angelos wrote:
> And if it's an existing account that *does* have s/key setup, you get
> the challenge. I suppose the correct behaviour is to offer a bogus
> challenge if the user is nonexistant or not setup for s/key (makes
> debugging a bit more difficult).
---------------End of Original Message-----------------

  This is something we fixed in OPIE a long while back,
along with sundry other things.  OPIE is an S/KEY derivative
(name changed at the insistence of Bellcore who are making
questionable trademark claims on "S/KEY") that runs on sundry
flavours of UNIX.  OPIE was the first S/KEY derivative to support
MD5 (and thereby fix the problems related to S/KEY using MD4).

OPIE source code is available from:
	ftp://ftp.nrl.navy.mil/pub/opie

IMHO, it would be ideal for NetBSD to just migrate from the old
Bellcore S/KEY to OPIE (or some other modern implementation of
IETF OTP) in any event.

Ran
rja@inet.org