tech-security: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database Vulnerability]

Subject: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database Vulnerability]
To: Greg A. Woods <woods@most.weird.com>
From: Andrew Brown <atatat@atatdot.net>
List: tech-security
Date: 01/30/2000 12:15:07

  by redmail.netbsd.org with SMTP; 30 Jan 2000 17:15:17 -0000
	by noc.untraceable.net (8.10.0.Beta12/8.10.0.Beta12/bonk!) id e0UHF8T19602;
	Sun, 30 Jan 2000 12:15:08 -0500 (EST)
Date: Sun, 30 Jan 2000 12:15:07 -0500
From: Andrew Brown <atatat@atatdot.net>
To: "Greg A. Woods" <woods@most.weird.com>
Cc: tech-security@netbsd.org
Subject: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database Vulnerability]
Message-ID: <20000130121507.A19495@noc.untraceable.net>
Reply-To: Andrew Brown <atatat@atatdot.net>
References: <20000124175648.A13877@noc.untraceable.net> <v04220801b4b9a9cb09b5@[204.179.128.134]> <m12Ewof-000g6HC@most.weird.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <m12Ewof-000g6HC@most.weird.com>; from woods@most.weird.com on Sun, Jan 30, 2000 at 11:03:09AM -0500
Return-Receipt-To: receipts@daemon.org

>How "easy" is it to mis-configure s/key so that a number of hosts will
>all share the same challenge/response keys for each account?   (This is
>the most common problem I've seen s/key or OPIE sites encounter.)

very easy, if everyone that uses skey decides to use the same
sequence, challenge, and secret for each host.  which is easy.  it'd
be better if, say, skey didn't allow the user (except for root
perhaps) to pick the challenge.

>Is the "bug" where "skey" generates different responses on different
>architectures known and if so is it fixed in -current and 1.4.2?

yes.

>	sparc-1.3.2 $ skey 99 most02030 
>	Enter secret password: 
>	EM GAB CARD MONA LACK SAY
>
>	i386-1.3.3 $ skey 99 most02030
>	Enter secret password: 
>	CULT MAID FIRE ACID LOU FLOW
>
>The exact same secret, "foobar", was entered in each test case above.

the sparc has the endianness wrong somewhere.  does your "md5 -x"
output not match the rfc perhaps?

here's a hint:

% skey -p 9 9 9 
STUB ELSE MARY LOON COON EAR

i *always* use this one for a test case.  the choice of 9's was
completely arbitrary, but i've been using it for years and can now
recite "stub else mary loon coon ear" on demand.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."