From owner-cvs-all  Sat Jan 19  6:19:30 2002
Delivered-To: cvs-all@freebsd.org
Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.139.170])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7B1E937B416; Sat, 19 Jan 2002 06:19:22 -0800 (PST)
Received: (from uucp@localhost)
	by storm.FreeBSD.org.uk (8.11.6/8.11.6) with UUCP id g0JEJFv25029;
	Sat, 19 Jan 2002 14:19:15 GMT
	(envelope-from mark@grondar.za)
Received: from grondar.za (mark@localhost [127.0.0.1])
	by grimreaper.grondar.org (8.11.6/8.11.6) with ESMTP id g0JEFQt21503;
	Sat, 19 Jan 2002 14:15:26 GMT
	(envelope-from mark@grondar.za)
Message-Id: <200201191415.g0JEFQt21503@grimreaper.grondar.org>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libpam/modules/pam_opie pam_opie.c 
References: <20020119105418.GA7683@nagual.pp.ru> 
In-Reply-To: <20020119105418.GA7683@nagual.pp.ru> ; from "Andrey A. Chernov" <ache@nagual.pp.ru>  "Sat, 19 Jan 2002 13:54:19 +0300."
Date: Sat, 19 Jan 2002 14:15:26 +0000
From: Mark Murray <mark@grondar.za>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

> On Sat, Jan 19, 2002 at 10:47:08 +0000, Mark Murray wrote:
> > > ache        2002/01/19 02:09:05 PST
> > > 
> > >   Modified files:
> > >     lib/libpam/modules/pam_opie pam_opie.c 
> > >   Log:
> > >   If user not exist in OPIE system, return failure immediately instead
> > >   of producing fake prompts with random numbers which can be detected by
> > >   potential intruder in two tries and totally confuse non-OPIE users.
> > 
> > I object to this. The better way is to produce fake but (semi-) constant
> > challenge.
> 
> It is impossible.

Crap.

> 1) How do you plan to identify intruder to keep choosed semi-constance for
> him?

It is not based on the intruder.

There are lots of ways to do it. One way is to hash on the month
and the uid or username of the account being attacked. This will
change on midnight at the end of the month, but that exposes very
little.

> 2) S/Key and OPIE was designed to not interfere normal users processing,
> only incorrectly written applications use those fake promts. Fake promtps
> may cause not user confusion only but seriosly affects protocols which not
> expect them.

If the protocol is not expecting them, but the user has them enabled, you
have a problem anyway.

M
-- 
o       Mark Murray
\_      FreeBSD Services Limited
O.\_    Warning: this .sig is umop ap!sdn

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message