by mail.netbsd.org with SMTP; 27 Jul 2000 21:57:56 -0000
	by noc.untraceable.net (8.11.0/8.11.0/bonk!) id e6RLvmv10159;
	Thu, 27 Jul 2000 17:57:48 -0400 (EDT)
Date: Thu, 27 Jul 2000 17:57:48 -0400
From: Andrew Brown <atatat@atatdot.net>
To: "Martin J. Laubach" <mjl@office.emsi.priv.at>
Cc: tech-security@netbsd.org
Subject: Re: login leaks information w/ skeys
Message-ID: <20000727175748.A10119@noc.untraceable.net>
Reply-To: Andrew Brown <atatat@atatdot.net>
References: <964730751.507513@maschndrohtzaun.emsi.priv.at>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <964730751.507513@maschndrohtzaun.emsi.priv.at>; from mjl@nospam.office.emsi.priv.at on Thu, Jul 27, 2000 at 08:45:52PM +0000
Return-Receipt-To: receipts@daemon.org

>  Our login process leaks information:
>
>  A normal login asks for "Password:", a login for a user which
>has an skey entry asks for "Password [otp md4 98 cact39209]:",
>ie. it reveals whether a certain user exists and has s/keys
>enabled.
>
>  This is not really good. I see two alternatives: Either we
>go back to the old ways where the s/key prompt only comes when
>one enters a password of "s/key" (and then generate a fake
>otp prompt for unexistant users), or generate a fake otp prompt
>for everybody. Of course this could be made configurable via
>login.conf as not to clobber all logins.

ftpd leaks too, but there's no easy way to change that.  if you take
it out of the 331 (subsequent to the user command), there's no way for
a client to actually request it.  i imagine most clients would be very
confused by a 331 *after* they pass a pass command.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."