S/Key solution
Ben Lindstrom
mouring at pconline.com
Fri Nov 10 03:30:28 EST 2000
Ok.. I think I've pieces together things.
The skey_fake_keyinfo() is broken. I've not tried the skey code on
my OpenBSD box, but I restored all the code in auth-skey.c back to the
original code and I recieved yet another incorrect challenge.
Moving back to skey_keyinfo() makes it work, *BUT* ignores the original
problem which is stated in the 1.1 check in comments by Markus:
[[...Quote...]]
4) generate fake skeys,
for s/key for nonexisting users, too
limit auth-tries for nonexisting users, too.
[[...End Quote...]]
So I assume the solution should be doing something like:
char *skey_fake_keyinfo(char *username)
{
int i;
static char str[SKEY_MAX_CHALLENGE];
struct skey skey;
i = skeychallenge(&skey, username, str);
if (i == -1) { ** Generated Fake Response ** }
return(str);
}
This ensures that if the challenge exists we will always get a
valid response (since it's the same code as skeyinfo command =),
and if there is no challege then faking it so we don't drop hints
of existing/non-existing S/Key accounts.
Unless I missed something during the S/Key etup. =)
- Ben
More information about the openssh-unix-dev
mailing list