Subject: Re: A couple of security-related issues.
To: Richard Rauch <>
From: Manuel Bouyer <>
List: tech-security
Date: 12/26/2000 20:32:31
On Sun, Dec 24, 2000 at 05:25:34PM -0600, Richard Rauch wrote:
> > >    I seem to remember reading about One Time Passwords as a feature
> > >    of kerberos.  I decided that it sounded a bit over the top to
> > 
> > No, it's skey. It's also here for telnet and rlogin.
> Ah.  And is it OpenSSH or the remote sshd that is giving the
> less-than-helpful ``OTP'' prompt?

Don't know. what does it say when you connect using the -v flag ?

> > >    a reason that I should want OpenSSH to do this?  (Or am I missing
> > >    the point of one-time passwords?)
> > > 
> > >    (OpenSSH only does this with some hosts.  My other computer is still
> > >    on 1.5_ALPHA with ssh[d], and doesn't do the ``otp'' stuff to me.)
> > > 
> > >    I couldn't see any options in ssh's man-page that seemed to govern
> > >    this...
> > 
> > I've run into this as well, and discovered it falled back to otp when
> > the login is invalid. I've found several reasons for a login to be invalid:
> > unknown login, the shell doesn't exists (it took some time to find this
> > one :), ...
> > Check that you can properly log on the console.
> The console of the remote machine?  I don't have access to that
> (physically).  I suppose that I wasn't very clear about the situation
> w.r.t. the machines.  I have two NetBSD machines, here (one on 1.5, on e
> on 1.5_ALPHA).  They interoperate nicely.  I have access to several remote
> machines at KU.  We'll call one of them ``tesla'' (because that happens to
> be its name).  I don't know where tesla is, and don't have physical access
> to tesla.
> If I use my 1.5_ALPHA machine to connec to tesla, all is well.  I get a
> password prompt; I answer it; I login.
> If I use 1.5, proper, with OpenSSH, I first get an OTP challenge.  Only
> after failing it 3 times does it fall back to a standard password.  This
> happens on every login.

And with standart passwd it works ? Then it can be an option of the local
ssh. What does the ssh.conf man page tell about this ?

> > >  * I figured that audit-packages would be in /etc/security by now.
> > 
> > audit-packages is a package, it's not part of the base system.
> Yes, but I seem to recall that we had things (like ssh-related, or
> skey-related?) in daily/secure/something before.  You just check to see if
> the pkg is where it ``should''  be, and if it is, then run it.

skey related. But skey is part of the base system.

> I assumed that there was a good reason to have them all directed to
> root, since that's how it comes out of the box.  (sigh)

Hey, it's the only account with a passwd out of the box :)
This assumes someone reads root message on a regular basis. The best way to
do this is to redirect the messages to one or more regular account :)

Manuel Bouyer, LIP6, Universite Paris VI.