Subject: Re: login/ftpd username probing via s/key
To: None <mikel@shore.net, tech-security@NetBSD.ORG>
From: Ty Sarna <tsarna@endicor.com>
List: tech-security
Date: 06/25/1997 14:00:12
In article <199706251728.NAA27910@northshore.shore.net> you write:
> Recently the change below was made to /bin/login:
> 
> ----------------------------------------------------------------------
[...]
> * if the user has an s/key, provide a reminder in the password prompt
> * if '-s' is given once, force a user that has an s/key to use it
> * if '-s' is given more than once, only permit s/key logins
> ----------------------------------------------------------------------
> 
> What I'm wondering is if the s/key reminder in the prompt may be used
> to probe for valid usernames.  Isn't this a security hole, and if so,
> how bad is it?  When I mentioned my concern to Luke, he mentioned that

Yes, that's why I originally did it the other way. Of course it
wasn't complete. ftpd still had to prompt, and you can still find out if
the user is real or not[*] by entering "s/key" as the password, so it
really doesn't buy much. I suppose you could forge a fake challenge,
but it'd be hard to do in a convincing manner.

I'm not sure it's really solvable.  Perhaps you just have to decide if
the benefits of a one time challenge/response system outway the fact
that the challenge is going to give away at least a little bit of
information about your users (like wether or not they exist and how
often they log in). 

[*: actually, it will tell you if a user does exist, but won't tell you
if a user doesn't exist.  Maybe athere is no such user, or maybe the
user just doesn't have an S/Key]

> ftpd had similar code.
> 
> I think the password prompt should be enabled only if another option
> (-S? -c? other suggestions?) is given.

The whole S/Key implementation needs desperately to be thrown out and
redone, preferably with plugin modules and a great deal more flexibility
for the sysadmin (such as rules saying who can login in when, where,
where from, and with what auth method, rather than the simple -s flag,
which is really insufficent even for simple cases.  I have some thoughts
on how to do this, if anyone is interested).  Failing that, if we're
going to show the challenge all the time anyway, we might as well do
away with the "enter S/Key at the Password: prompt" thing and do it like
everyone else does it (and like ftpd does it).