Re: OpenSSH & S/Key information leakage

From: Pavel Kankovsky (peakat_private)
Date: Sun Nov 18 2001 - 12:40:45 PST

Next message: Ulf Harnhammar: "Trouble with cookies and redirect"

Previous message: securityat_private: "Cross Site Scripting holes abound"
In reply to: Alan J Rosenthal: "Re: OpenSSH & S/Key information leakage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 15 Nov 2001, Alan J Rosenthal wrote:

> A login prompt for a non-account looks like this:
> 
> 	login: flomp
> 	otp-md5 175 at2078 ext
> 	Response: 
> 
> So far, so good.  But press return once or twice to get "Login incorrect"
> (or make a new conection), and then do
> 
> 	login: flomp
> 	otp-md5 220 at0624 ext
> 	Response: 
> 
> Either the user just set a new passphrase in this one-second interval, or
> "flomp" does not exist.

Seed the PRNG generating this fake challenge with the given username and
nothing but the username (and perhaps some *static* secret data).

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Next message: Ulf Harnhammar: "Trouble with cookies and redirect"
Previous message: securityat_private: "Cross Site Scripting holes abound"
In reply to: Alan J Rosenthal: "Re: OpenSSH & S/Key information leakage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 11:04:42 PST