by mail.netbsd.org with SMTP; 27 Jul 2000 20:45:57 -0000
	for tech-security@netbsd.org; Thu, 27 Jul 2000 22:45:53 +0200 (CEST)
To: tech-security@netbsd.org
Path: mjl
From: mjl@nospam.office.emsi.priv.at (Martin J. Laubach)
Newsgroups: emsi.netbsd.tech.security
Subject: login leaks information w/ skeys
Date: 27 Jul 2000 20:45:52 GMT
Organization: I have some. Really. Somewhere.
Lines: 18
Message-ID: <964730751.507513@maschndrohtzaun.emsi.priv.at>
NNTP-Posting-Host: maschndrohtzaun.emsi.priv.at
NNTP-Posting-Date: 27 Jul 2000 20:45:52 GMT
User-Agent: slrn/0.9.6.2 (NetBSD)
Cache-Post-Path: maschndrohtzaun.emsi.priv.at!unknown@cactus.emsi.priv.at

  Something that I noticed quite some time ago (I even think there was
a PR about it, but I can't seem to find it)...

  Our login process leaks information:

  A normal login asks for "Password:", a login for a user which
has an skey entry asks for "Password [otp md4 98 cact39209]:",
ie. it reveals whether a certain user exists and has s/keys
enabled.

  This is not really good. I see two alternatives: Either we
go back to the old ways where the s/key prompt only comes when
one enters a password of "s/key" (and then generate a fake
otp prompt for unexistant users), or generate a fake otp prompt
for everybody. Of course this could be made configurable via
login.conf as not to clobber all logins.

	mjl