On Wed, Jan 26, 2000 at 11:53:05AM -0800, Steve VanDevender wrote: > Ultimately I wonder how much of a future S/Key has now that SSH and > similar utilities are widely deployed and provide much more > sophisticated protections, especially session encryption. S/key is still useful, even when you do use SSH. By using S/Key, you can avoid replay attacks if somebody compromise a workstation or temporarily compromise the server (ie, you are secure after reinstall and moving skeykeys over.) You don't get the same effect by using ssh RSA authentication, partly you either have (1) Users that key in the passphrase each time they connect to the server OR (2) Agent forwarding, which means that if any computer they have an account on is compromised, so is your box. Without any logging in their end. Without any *possibility* of proper logging in their end, as the authentication challenges do not themselves contain any authentication. OR (3) Extremely clued users, who either remember to type -a on all ssh connections, don't have agent forwarding at all (disabled for the machine), or has patched ssh to add the -A keyword (now default included in Debian, and possibly in OpenSSH) Eivind.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:52 PDT