S/Key solution

Ben Lindstrom mouring at pconline.com
Fri Nov 10 03:30:28 EST 2000

Ok.. I think I've pieces together things.

The skey_fake_keyinfo() is broken.  I've not tried the skey code on
my OpenBSD box,  but I restored all the code in auth-skey.c back to the
original code and I recieved yet another incorrect challenge.

Moving back to skey_keyinfo() makes it work, *BUT* ignores the original
problem which is stated in the 1.1 check in comments by Markus:


4) generate fake skeys,
   for s/key for nonexisting users, too
   limit auth-tries for nonexisting users, too.

[[...End Quote...]]

So I assume the solution should be doing something like:

char *skey_fake_keyinfo(char *username)
        int i;                                  
        static char str[SKEY_MAX_CHALLENGE];    
        struct skey skey;                       
        i = skeychallenge(&skey, username, str);
        if (i == -1) { ** Generated Fake Response ** } 

This ensures that if the challenge exists we will always get a
valid response (since it's the same code as skeyinfo command =),
and if there is no challege then faking it so we don't drop hints
of existing/non-existing S/Key accounts.

Unless I missed something during the S/Key etup. =)

- Ben

More information about the openssh-unix-dev mailing list