by redmail.netbsd.org with SMTP; 30 Jan 2000 16:03:17 -0000
	via sendmail with P:stdio/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <woods@most.weird.com>) 
	id <m12Ewof-000g6HC@most.weird.com>
	for tech-security@NetBSD.ORG; Sun, 30 Jan 2000 11:03:09 -0500 (EST)
	(Smail-3.2.0.110-Pre 1999-Oct-27 #5 built 2000-Jan-29)
Message-Id: <m12Ewof-000g6HC@most.weird.com>
Date: Sun, 30 Jan 2000 11:03:09 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: woods@most.weird.com (Greg A. Woods)
To: tech-security@NetBSD.ORG
Subject: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database Vulnerability]
In-Reply-To: <v04220801b4b9a9cb09b5@[204.179.128.134]>
References: <20000124175648.A13877@noc.untraceable.net>
	<v04220801b4b9a9cb09b5@[204.179.128.134]>
Reply-To: tech-security@NetBSD.ORG (NetBSD Security Technical Discussion List)
Organization: Planix, Inc.; Toronto, Ontario; Canada

[ On Sunday, January 30, 2000 at 00:42:40 (-0800), Erik Fair wrote: ]
> Subject: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database Vulnerability]
>
> This is the first time I've heard of this, however, as you point out, 
> NetBSD is A.O.K.

How "easy" is it to mis-configure s/key so that a number of hosts will
all share the same challenge/response keys for each account?   (This is
the most common problem I've seen s/key or OPIE sites encounter.)

Is the "bug" where "skey" generates different responses on different
architectures known and if so is it fixed in -current and 1.4.2?

	sparc-1.3.2 $ skey 99 most02030 
	Enter secret password: 
	EM GAB CARD MONA LACK SAY

	i386-1.3.3 $ skey 99 most02030
	Enter secret password: 
	CULT MAID FIRE ACID LOU FLOW

The exact same secret, "foobar", was entered in each test case above.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>