by mail.netbsd.org with SMTP; 28 Jul 2000 00:37:44 -0000
	by inner.net (8.7.6/8.9.3) with ESMTP id AAA26999;
	Fri, 28 Jul 2000 00:37:11 GMT
Message-Id: <4.2.0.58.20000727203158.009a2af0@avarice.inner.net>
Date: Thu, 27 Jul 2000 20:33:33 -0400
To: mjl@nospam.office.emsi.priv.at (Martin J. Laubach)
From: RJ Atkinson <rja@inet.org>
Subject: Re: login leaks information w/ skeys
Cc: tech-security@netbsd.org
In-Reply-To: <964730751.507513@maschndrohtzaun.emsi.priv.at>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

At 16:45 27/07/00 , Martin J. Laubach wrote:
>   A normal login asks for "Password:", a login for a user which
>has an skey entry asks for "Password [otp md4 98 cact39209]:",
>ie. it reveals whether a certain user exists and has s/keys
>enabled.

Anyone still using cleartext passwords is either in a safe
environment where this doesn't matter or already badly hosed,
IMHO.

>   This is not really good. I see two alternatives: Either we
>go back to the old ways where the s/key prompt only comes when
>one enters a password of "s/key" (and then generate a fake
>otp prompt for unexistant users), or generate a fake otp prompt
>for everybody. Of course this could be made configurable via
>login.conf as not to clobber all logins.

I don't care much for either of those ideas.  The real fix,
if one is in an environment where security is at issue, is
to simply have OTP keys for all logins, IMNVHO.

Ran