Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability)

From: Greg A. Woods (woodsat_private)
Date: Tue Feb 01 2000 - 07:41:06 PST

Next message: Russ: "Re: SyGate 3.11 Port 7323 / Remote Admin hole"

Previous message: Brad Griffin: "Re: Bypass Virus Checking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ On Tuesday, February 1, 2000 at 02:17:42 (+0300), -=ArkanoiD=- wrote: ]
> Subject: Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability)
>
> I've seen several s/key (opie, whatever you call it) implementations
> and all of them used some combination of hostname and pseudo-random number
> as authomatically generated seed. What systems have the problem you described?

Further analysis of the current implementation of S/Key in NetBSD and
dredging of my memory suggests that whomever installed S/Key at the
sites I referred to did so by first building and testing with the root
account on one machine (and perhaps others) and then making a binary
package including the /etc/skeykeys file and installing it on all other
machines (since the sites in question were running Solaris-2.5 the
practice at those sites was to build on a development machine and then
deploy binary packages on all the other machines without compilers).
Because of the algorithms used to create a "new" seed the result would
be continued use of the same seed on all systems.

I.e. basically it was a documentation bug that in concert with a latent
implementation bug in the seed re-generation that resulted in a serious
deployment error.  The fact that this happened more than once to
un-related sites suggests that it could be a common problem.  In theory
anyone who knows what I now know about the dangers of using the same
secret and the same seed on multiple systems could easily discover and
fix the problem.  Whether it would be fixed in practice is a separate
question!  :-)

This would also suggest there are dangers in trying to improve the
security of your systems by installing binary packages when those
packages were instead designed (either implicitly or explicitly) to be
installed from source.

There are probably a couple of papers here for anyone with the time to
do some deeper research and write them up!  :-)

--
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoodsat_private>      <robohack!woods>
Planix, Inc. <woodsat_private>; Secrets of the Weird <woodsat_private>

Next message: Russ: "Re: SyGate 3.11 Port 7323 / Remote Admin hole"
Previous message: Brad Griffin: "Re: Bypass Virus Checking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:51 PDT