by redmail.netbsd.org with SMTP; 1 Feb 2000 13:44:35 -0000
          by poptart.corp.home.net (Netscape Messaging Server 3.54)
           with ESMTP id AAA719D; Tue, 1 Feb 2000 05:44:28 -0800
Message-Id: <4.2.0.58.20000201080456.0095b450@avarice.inner.net>
Date: Tue, 01 Feb 2000 08:45:52 +0000
To: 
	tech-security@netbsd.org (NetBSD Security Technical Discussion List)
From: RJ Atkinson <rja@inet.org>
Subject: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database
  Vulnerability]
Cc: tech-security@netbsd.org
In-Reply-To: <m12Ewof-000g6HC@most.weird.com>
References: <v04220801b4b9a9cb09b5@[204.179.128.134]>
 <20000124175648.A13877@noc.untraceable.net>
 <v04220801b4b9a9cb09b5@[204.179.128.134]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

At 16:03 30-01-00 , Greg A. Woods wrote:

>How "easy" is it to mis-configure s/key so that a number of hosts will
>all share the same challenge/response keys for each account?   (This is
>the most common problem I've seen s/key or OPIE sites encounter.)

OPIE sites with a default configuration should not have multiple users
ending up with the same sequence number (e.g. "99") and challenge string
(e.g. "most02030") at all often.

>Is the "bug" where "skey" generates different responses on different
>architectures known and if so is it fixed in -current and 1.4.2?

Not a problem with OPIE.

Ran