Date: Thu, 23 Sep 1999 11:25:40 -0500 (CDT) From: Frank Tobin <ftobin@uiuc.edu> To: FreeBSD-security Mailing List <freebsd-security@freebsd.org> Subject: OTP schemes with S/Key Message-ID: <Pine.BSF.4.10.9909231100060.34978-100000@isr4033.urh.uiuc.edu>
next in thread | raw e-mail | index | archive | help
The scheme S/Key uses to create a OTP setup with keyinit(1) has been bugging me lately. I'm confused by the program's ability to create a method of becoming a user via login(1) (through telnetd, ftpd, etc) without any authentication. For example, with access to any user's session, an attacker can use keyinit witout any authentication to create a new or modify the current OTP setup of the grabbed-user's terminal. Well, technically the authentication could be the fact that the user is currently logged in under with their own credentials, but this is generally not accepted as a sufficient authentication. The general thinking behind OTP is that is that knowing one challenge-response series gives a user credentials for one session, and no more. With the current setup, a user who has credentials for one session can use those credentials to run keyinit and reset the OTP scheme, granting him/her access to more sessions. Other authentication, schemes normally don't allow this sort of bypassing of authethentication to change the authentication method; for example, if a user's password was to be changed, the person changing it needs to be authenticated by entering the old password into passwd(1). I'm thinking that a decent solution would require users to authenticate via some call to login(1) when running keyinit, allowing them to change their OTP setup knowing either their static password, or the next correct challenge-response. -- Frank Tobin "To learn what is good and what is to be valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus pgpenvelope = GPG and PGP5 + Pine PGP: 4F86 3BBB A816 6F0A 340F www.neverending.org/~ftobin/resources.html 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9909231100060.34978-100000>