Re: S/KEY ftp logins

2004-03-09 Thread Jim Hatfield 
On Mon, 8 Mar 2004 15:31:50 - , in local.freebsd.questions you
wrote:

>Is there some way to tell if ftp logins are successfully using S/KEY or
>falling back to cleartext?  Is there some way to require S/KEY only?

I believe the password prompt includes "required" if a static
password would not be accepted.

As I recall if you create /etc/skey.access then everything which
is *not* mentioned in that file will require s/key. I think this
also applies to shell logins so you need to be careful.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

S/KEY ftp logins

2004-03-08 Thread Cliff Addy 
Is there some way to tell if ftp logins are successfully using S/KEY or
falling back to cleartext?  Is there some way to require S/KEY only?

Cliff


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FBSD 4.8-STABLE and S/Key

2003-06-25 Thread Jason L. Schwab 
Heya Folks;

I just tried to get s/key support working, I read the hand book
and all it shows is using keyinit as the users to enable there
one time passwords, and then when I login or ftp/etc, it shows
the s/key support line.

But the password's that keyinit generates do not work? Any
ideas? I can not login at all via the s/key password(s).

Thanks.



-
Jason L. Schwab
<[EMAIL PROTECTED]>
http://www.jlschwab.com


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: s/key

2003-02-18 Thread Ruben de Groot 
On Tue, Feb 18, 2003 at 08:55:54AM -0500, Robert Munn typed:
> How do I turn off the prompt for an s/key password?  I started getting
> the request when I upgraded from 4.5 to 4.7

Putting the line:

PreferredAuthentications publickey,password

in /etc/ssh/ssh_config works for me.

> 
> 
> -- 
> Robert Munn
> 
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-questions" in the body of the message

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: s/key

2003-02-18 Thread Dirk-Willem van Gulik 


On Tue, 18 Feb 2003, Robert Munn wrote:

> How do I turn off the prompt for an s/key password?  I started getting
> the request when I upgraded from 4.5 to 4.7

'man skey' or 'man skey.access' works; and also check things like the
Challenge in 'man sshd_config'.


Dw.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

s/key

2003-02-18 Thread Robert Munn 
After upgrading one of my system from 4.6 to 4.7 I get an S/Key prompt
when I ssh to a 4.6 system.  How can I get rid of the skey prompt.  I have
tried fiddling with pam.conf but it doesn't seem to make ant difference

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

s/key

2003-02-18 Thread Robert Munn 
How do I turn off the prompt for an s/key password?  I started getting
the request when I upgraded from 4.5 to 4.7


-- 
Robert Munn

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: Help with s/key

2002-11-06 Thread local.freebsd.questions 
On Wed, 6 Nov 2002 05:42:07 - , [EMAIL PROTECTED] (Odhiambo
Washington) wrote:

>
>Sincerely, I don't understand this stuff. I've tried to read it.
>Is anyone willing to tell me the advantages of s/key and whether I should
use
>it?

Depends how you rate security over convenience.

I have used it often for FTP accounts.

The benefit is that passwords are never re-used and knowledge of
a password can't be used to determine future ones. The downside
is that people find it a pain to have a sheet of passwords and
strike them out one at a time, or use an s/key calculator.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Fwd: Re: Help with s/key

2002-11-05 Thread Jim 
S/Key is a pretty nifty way of sending garbled passwords over cleartext means
(telnet).  It was sort of a pre-cursor to ssh.  Although widely used still,
it is somewhat obsolete...but then, one can never be too paranoid, right? :)

So, let me 'splain...

| Sincerely, I don't understand this stuff. I've tried to read it.
| Is anyone willing to tell me the advantages of s/key and whether I should
| use it?
|
| This is what happens:
|
| 
| wash@ns2 ('tty') ~ 479 -> ssh newhost
| otp-md5 105 ba3562 ext
| S/Key Password:

Ok, right here is where you would get the s/key encryption generator thingy
out (in windows you can use winkey (google it)).  There is a *nix command
that will do it too, although, at this time, I can't remember the name of it.

In short, what you would do, provided s/key has a valid passwd for the user
you are trying to login as (its a separate file in /etc generally called
opeykeys, iirc) when you get the prompt above you would copy the
challenge: otp-md5 105 ba3562 ext
(you really only need the 105 ba3562 but using the whole thing is harmless).

Then you paste that into winkey or the unix equivalent (again, can't remember
what that is called now...Im doing this all from memory and its been well
over four years since I've used s/key).  When you press enter you will br
prompted for your password (again, not the system passwd necessarily but the
one you set yourself up with for skey which is reflected in the /etc/opeykeys
file).  Then you will get a strange set of words that look similar to:
HAPPY DESKS AUTOS MAILBOX PEOPLE BLAH
That is what you then copy and paste back to skey at the "S/Key Password:"
prompt and VOILA...assuming you typed your password correctly you should be
granted access.

There are a few neato things about skey.  As the admin, when you set someone
up with an skey account (and if skey is the only login method allowed for
your machine) you set that person up with a certain number of allowed logins
(in the case above, the number left for the allowed logins is 105).  This
number decrements upon every login attempt (iircmight be every successful
login but I am pretty sure its every attempt).  When this number hits 0 that
user is no longer allowed to attempt to login until you, as the admin, makes
that number > 0.

Openssh will use s/key as a backup method of logging in.  Rightly so, if you
think about it you do NOT want to send your passwords cleartext over telnet
connections.  You're begging for trouble if you do that.  S/Key makes it so
that you can send your password over telnet in cleartext without a cracker
easily getting your password from the wire.  S/Key, last I checked, by
default uses MD5 hashes but I know it can use DSA and MD4 and perhaps other
algorythms as well.

What you are seeing below, if Im not mistaking, is openssh falling back to
different login methods.  Its probably going in this order: private key,
s/key, then password.

Hope this helps.  If I got anything wrong please correct me.  I  really mean
it that I haven't used S/Key in a lng time.  But I used to use it all the
time on my servers until ssh became popular.

- Jim

| otp-md5 172 ba9156 ext
| S/Key Password:
| otp-md5 236 ba7561 ext
| S/Key Password:
| [EMAIL PROTECTED]'s password:
| Last login: Fri Nov  1 18:31:46 2002 from 62.8.64.13
| Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
| The Regents of the University of California.  All rights reserved.
| FreeBSD 4.6.2-RELEASE (backup) #0: Fri Oct 11 19:02:55 GMT 2002
|
|
| Welcome to RBS backup server!
|
|
| bash-2.05a$
| 
|
|
|
| Thanks
|
| -Wash

--

- Jim

---

-- 

- Jim

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Help with s/key

2002-11-05 Thread Odhiambo Washington 

Sincerely, I don't understand this stuff. I've tried to read it.
Is anyone willing to tell me the advantages of s/key and whether I should use
it?

This is what happens:


wash@ns2 ('tty') ~ 479 -> ssh newhost
otp-md5 105 ba3562 ext
S/Key Password: 
otp-md5 172 ba9156 ext
S/Key Password: 
otp-md5 236 ba7561 ext
S/Key Password: 
[EMAIL PROTECTED]'s password: 
Last login: Fri Nov  1 18:31:46 2002 from 62.8.64.13
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California.  All rights reserved.
FreeBSD 4.6.2-RELEASE (backup) #0: Fri Oct 11 19:02:55 GMT 2002


Welcome to RBS backup server!


bash-2.05a$




Thanks

-Wash

-- 
Odhiambo Washington   <[EMAIL PROTECTED]>  "The box said 'Requires
Wananchi Online Ltd.  www.wananchi.com  Windows 95, NT, or better,'
Tel: +254 2 313985-9  +254 2 313922 so I installed FreeBSD."   
GSM: +254 72 743223   +254 733 744121   This sig is McQ!  :-)


"It's Like This"

Even the samurai
have teddy bears,
and even the teddy bears
get drunk.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message