Subject: s/key messaging
To: 'tech-security@netbsd.org' <tech-security@NetBSD.ORG>
From: Scott.Burns@Netcontech.Com <Scott.Burns@Netcontech.Com>
List: tech-security
Date: 11/01/1997 22:35:21
In attempting to bring up s/key on a few key accounts on a machine this =
weekend I ran into something I feel weakens it's effectiveness under =
NetBSD.

If I setup say the "root" account to have s/key, and another account =
called jsmith does not have s/key, the following takes place:

telnet localhost

Login: nonuser
Password: s/key
Login incorrect

telnet localhost

Login: jsmith
Password: s/key
You have no s/key. Login incorrect

This now reveals to me that account jsmith is a valid account on this =
machine, and does
not use s/key, so I can begin to hack. Should this extra message be =
removed ?

Sorry I don't have access to sendpr right now but I thought this was =
important enough to bring up anyway. I have tested this under a 1.2.1 =
machine.

Scott Burns
Scott.Burns@Netcontech.Com