Subject: Re: A couple of security-related issues.
To: Richard Rauch <>
From: Manuel Bouyer <>
List: tech-security
Date: 12/24/2000 18:16:58
On Sat, Dec 23, 2000 at 06:09:12PM -0600, Richard Rauch wrote:
> (Please CC: replies to me; I read the lists via the web-page, which often
> lags.)
> While upgrading from 1.5_ALPHA from August to 1.5 (proper), I noticed some
> bumps and changes w.r.t. security.  Explanations, or pointers to same,
> would be appreciated.
>  * With 1.5 and OpenSSH, I get nagged about ``otp'' (One-Time
>    Password, maybe?) when logging into some systems.  I never got

Yes, it's One-Time Password

>    pestered by this with the standard ssh from pkgsrc.  After 3
>    trials (and failures, since I have no idea what to enter), I
>    get a standard password challenge.
>    I seem to remember reading about One Time Passwords as a feature
>    of kerberos.  I decided that it sounded a bit over the top to

No, it's skey. It's also here for telnet and rlogin.

>    remember a new, arbitrary password for every login, so I never
>    went there.  Can I get OpenSSH to stop this behavior, or is there
>    a reason that I should want OpenSSH to do this?  (Or am I missing
>    the point of one-time passwords?)
>    (OpenSSH only does this with some hosts.  My other computer is still
>    on 1.5_ALPHA with ssh[d], and doesn't do the ``otp'' stuff to me.)
>    I couldn't see any options in ssh's man-page that seemed to govern
>    this...

I've run into this as well, and discovered it falled back to otp when
the login is invalid. I've found several reasons for a login to be invalid:
unknown login, the shell doesn't exists (it took some time to find this
one :), ...
Check that you can properly log on the console.

>  * Old /etc/security.conf had check_rhosts=NO, with a comment of
>    ``Don't turn this on; malicious users can take advantage''.  Now,
>    it is check_rhosts=YES, with no comment.  I assume that whoever
>    made the change knew what they were doing; still, can someone
>    (briefly) explain why it wasn't okay before, but is okay now?

I seem to remember it was an issue with symlinks and find. I don't know
the details, you may want to check the commit message for the security
script :)

>  * I figured that audit-packages would be in /etc/security by now.

audit-packages is a package, it's not part of the base system.

>    Did it come too late, or was it just an oversight?  (I run it
>    in my /etc/security, though I must admit that I don't check the
>    results as often as I could.  Maybe I should have security's
>    output go to my main account instead of to root?)

you should forward all root mail to individual account(s). Postmaster
and abuse too.

Manuel Bouyer, LIP6, Universite Paris VI.