In article <9405202110.AA26448@augustus.mbfys.kun.nl> Olaf Seibert <rhialto@mbfys.kun.nl> writes:
> Ty Sarna writes:
> >With these patches you can enter "s/key" at a {su,login} Password:
> >prompt and then be prompted for a s/key one-time password, or if you're
> >on a secure login you can just enter your regular password.
> 
> Am I completely misunderstanding this, or would this imply that
> attackers still can do a brute-force attack on the regular password?

Yes, they can still do that. For that matter, they can brute-force
attack an S/Key secret password just as easily as your regular password
-- the only difference is that they need a slightly smarter brute-force
guesser program that knows to run guesses through key(1) with the
appropriate challenge before trying them. S/Key doesn't try to solve the
brute force problem, it only solves the problem of transmitting
reusable passwords across insecure channels. An easily guessable S/Key
password is just as dangerous as an easily-guessable normal password.

-- 
Ty Sarna	     "It pays to be obvious, especially if you have a 
tsarna@endicor.com    reputation for subtlety" -- Salvor Hardin

------------------------------------------------------------------------------