[ On Tuesday, February 1, 2000 at 02:17:42 (+0300), -=ArkanoiD=- wrote: ] > Subject: Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability) > > I've seen several s/key (opie, whatever you call it) implementations > and all of them used some combination of hostname and pseudo-random number > as authomatically generated seed. What systems have the problem you described? Further analysis of the current implementation of S/Key in NetBSD and dredging of my memory suggests that whomever installed S/Key at the sites I referred to did so by first building and testing with the root account on one machine (and perhaps others) and then making a binary package including the /etc/skeykeys file and installing it on all other machines (since the sites in question were running Solaris-2.5 the practice at those sites was to build on a development machine and then deploy binary packages on all the other machines without compilers). Because of the algorithms used to create a "new" seed the result would be continued use of the same seed on all systems. I.e. basically it was a documentation bug that in concert with a latent implementation bug in the seed re-generation that resulted in a serious deployment error. The fact that this happened more than once to un-related sites suggests that it could be a common problem. In theory anyone who knows what I now know about the dangers of using the same secret and the same seed on multiple systems could easily discover and fix the problem. Whether it would be fixed in practice is a separate question! :-) This would also suggest there are dangers in trying to improve the security of your systems by installing binary packages when those packages were instead designed (either implicitly or explicitly) to be installed from source. There are probably a couple of papers here for anyone with the time to do some deeper research and write them up! :-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoodsat_private> <robohack!woods> Planix, Inc. <woodsat_private>; Secrets of the Weird <woodsat_private>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:51 PDT