I believe that turning s/key off on the server by default may be
sufficient; I *think* that in that case, the client will ask to use
s/key auth and the server will refuse before the client prompts the
user.

auto-configuring it is problematic -- you could look to see if
/etc/skeykeys has zero length, but any user can register their own
skey seed with skeyinit, so once one user runs skeyinit, everyone
starts getting the challenges).

for the ultraparanoid, creating a /var/db/host.random (see skey.h
_SKEY_RAND_FILE_PATH_) at install time (as a seed for the
fake-challenge generator) would be a very smart idea; otherwise, it
uses the last-modified time of /, which may change frequently on some
systems..

By the way, fake s/key challenges for non-existant users or users not
registered with s/key are done in a fairly clever way but can still
leak info over time (because the challenge and sequence number *never*
change unless the fake-challenge random seed, at which point all of
them change); whereas an account which is actually using s/key for
login will show a gradually decreasing s/key sequence number as the
challenges change over time

					- Bill