Date:        Mon, 01 Jul 2002 15:29:29 +0900
    From:        itojun@iijlab.net
    Message-ID:  <20020701062929.3369C4B2D@coconut.itojun.org>

  | 	i guess the problem is not how many users are using s/key, but how many
  | 	of installed systems that has it turned on (most of the openssh
  | 	installation shipped with it turned on).

From what I read, I thought the problem occurred only when a response to
a s/key prompt was received, is that correct?

If so, surely that can only happen on systems where s/key is actually used,
regardless of whether or not the openssh code installed had the potential to
use it or not.

If that's all correct, then at the worst this moves the problem from being
a remote exploit to a local one for most sites, as someone would have to
enable s/key first, locally, before being able to attack.

kre