How secure is bsdauth with skey one time passwords, by itself.
Google turned up Races and dictionary attacks if the skey file is readable. I imagine dictionary attacks via bsd auth would be the only possible known attack on a properly setup system. I am intending to use it as a secondary line of defense but how secure would skey be as a primary defense. Are the hash algorithms perfectly adequate. Would sha1 or rmd160 be your choice. If a user had a shell via login or exploit and was able to raise priviledges to a different user via skey, and so could use all commands including su to use skey. Any idea how long it would likely take to brute force at the default settings. Would it be the same time as a standard login (not including the difference if any between local and remote script time) and so almost as secure, aside from environment polution. KeV
Re: One time passwords?
On Tue, Sep 27, 2005 at 11:36:22PM -0500, C. Bensend wrote: 1) Log into system via ssh skey, which is a one-time auth method 2) Type 'sudo farfegnugen blahblah yadda' 3) Log out You're assuming that the keys you press are transmitted unmodified to your server. Since the terminal is not under your control, there's no reason why it can't send, e.g., sudo rm -rf / all by itself after it sees you're logged in. And this is just one example. -- Jurjen Oskam
Re: One time passwords?
You are trusting that the keylogger does not make the guy show up and take over your one time password session. I can't believe you couldn't see that. Ah. OK. That is exactly the tidbit of information I was not grokking. Thank you. -- Now, that next spring you find in your garage a creature that looks like a cross-bred badger and anaconda. A badgerconda. -- bash.org
Re: One time passwords?
Keylogging I understand fine... What do you mean by followed in? Honest question - I thought with a one-time challenge like skey, you'd be fairly safe? The man page doesn't mention any such risk, nor does the FAQ. I am completely uneducated on skey, as I've simply never had a need for it before. So, feel free to break out the cluebat and take a swing, Bob. :) Tty/pty sniffing, and the fact that if I'm root/admin I can do things to your devices that are displaying stuff to you, and taking input from you. If I control the machine I control your process and pty (or equivalent) on the network. I.E. just because I can't get back in with your OTP doesn't mean I can't make it look like the network is unresponsive while I do stuff on your connection that you don't see. Think about it this way, I used to teach smart kiddies here who logged in to other places from my machines this lesson by grabbing their pty, pasting in something like: NFS server blah not responding. Still trying then sending mail from their root account to me cc'ed to them telling me what an asshole I was and they wished I would die, they were going to come shave my pets, etc. then I'd splat back at their pty NFS server blah OK and hand them back control of it. Had I wanted to, and they're using OTP, instead of sending mail I could have simply backdoored the machine right there to let me in next time without otp, or whatever else I'd like to do. the usual result was an ashen faced puppy in my office with they jaw flapping within 10 minutes after they saw the email. I'd look annoyed for a minute and then laugh like hell and tell them how I did it. Someone's gotta educate them. -Bob
Re: One time passwords?
On Tue, 27 Sep 2005, stan wrote: I find myself in the position sometimes when away from home having access to only M$ machines with a base OS load only. There is really no way to trust a MS machine you don't have control over, .. even *thinking* you can is asking for trouble. With hundreds (or thousands) of trojans key loggers there's just no way you could feel safe. I don;t have telnet open on my home network, but i was considering opening it up on the OpenbD firewall, and using some sort of one time password scheme. The **ONLY** way to access your remote machine 'sanely' is via ssh, .. but many public access points block anything except 80 443; you *could* redirect incoming so you could use 443, however. As an option, consider Webmin - it operates via an ssh port, .. offers GUI control over the entire machine and even an ssh Java client. You can also configure users with different 'privledges', so your 'on the road' user could only access specific functions. Would this be a sane thing to do? and f so, where cold find some software to support the one time password functionality? OTPs are best used with a remote 'dongle' to generate time-synchronized keyphrases, which would provide some level of security and no allow keystroke loggers to gain any benefit (except capturing whatever you'r typing during the session). The best solution is to take your laptop (or Zaurus) and find a cafe with WiFi. (In the states Panera (St. Louis Bread Company) provides free WiFi with NO ports blocked.) Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: One time passwords?
Someone's gotta educate them. Excellent stuff. I was concentrating blindly on a potential attacker opening a new connection to my servers, and wasn't giving any thought to the current connection. I now see the risks. Thanks for the education. :) Benny -- Now, that next spring you find in your garage a creature that looks like a cross-bred badger and anaconda. A badgerconda. -- bash.org
Re: One time passwords?
On Wed, 28 Sep 2005 08:20:50 -0700, Donald J. Ankney wrote: On Sep 27, 2005, at 11:37 PM, Jurjen Oskam wrote: On Tue, Sep 27, 2005 at 11:36:22PM -0500, C. Bensend wrote: 1) Log into system via ssh skey, which is a one-time auth method 2) Type 'sudo farfegnugen blahblah yadda' 3) Log out You're assuming that the keys you press are transmitted unmodified to your server. Since the terminal is not under your control, there's no reason why it can't send, e.g., sudo rm -rf / all by itself after it sees you're logged in. And this is just one example. -- Jurjen Oskam To take this a step further, the host os (untrusted Windows box) could also inject malicious keystrokes into an SSH session. It wouldn't be as easy an attack since the injection has to happen between the keyboard and Putty (rather than just injecting into an unencrypted stream), but it still presents an attack vector. You can put a live-cd together on a business card sized CD that will fit in your wallet. Even if you end up with Knoppix instead of OpenBSD, at least you know it's clean. And if I own the internet cafe and have fitted keylogging hardware? From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
One time passwords?
I find myself in the position sometimes when away from home having access to only M$ machines with a base OS load only. I don;t have telnet open on my home network, but i was considering opening it up on the OpenbD firewall, and using some sort of one time password scheme. Would this be a sane thing to do? and f so, where cold find some software to support the one time password functionality? -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967
Re: One time passwords?
On Tue, Sep 27, 2005 at 09:22:51PM -0400, stan wrote: I find myself in the position sometimes when away from home having access to only M$ machines with a base OS load only. Things I've learned from travel. 1. Carry a copy of putty on every form of media you can think of. I have one my camera. Often you can get someone to let you plug *something* in and putty pretty much just works. 2. If, like for example the public consoles at Changi and Narita, you can't plug in any media pull up the putty download page and choose the run application option from the IE download dialog. Putty runs just fine. This was tested at both airports and a handful of .sgian cybercafes. 3. Thanks to putty there is no need to resort back to telnet. I don;t have telnet open on my home network, but i was considering opening it up on the OpenbD firewall, and using some sort of one time password scheme. Would this be a sane thing to do? and f so, where cold find some software to support the one time password functionality? Yes. But do it *with* ssh. Can't be too carful about keyloggers. http://www.openbsd.org/faq/faq8.html#SKey -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967 -- BOFH excuse #276: U.S. Postal Service
Re: One time passwords?
Why?. Why why why why why If you're going to trust the untrusted machine anyway running a virus run-time environment just google for putty, download and run it. Having said that I'd never log in from crap like that. your risk of getting nailed by a keylogger or garbage that's been installed on a machine you don't control is probably far greater than the chances your telnet session is actually going to get sniffed (unless you are on wireless, at which point everyone is watching your traffic) I.E. if a gun was held to my head force me to log in somewhere I cared about, If my choice was to to either download putty to a windows box (or any box) I didn't control and use ssh, or use an openbsd machine I control and telnet in the clear, I'd pick the latter. IMO the risk of an evesdropper on the router path is less than the risk of running a garbage endpoint operating system, and you need only look at the volume of worm traffic and the size of the drone armies out there to know that. Mind you the gun holder better shoot well - I didn't say I liked either alternative. My two cents? if you are running these things and need to get at them remotely, and it's not worth enough to have a secure laptop to do it from? just use telnet and a regular password, security is obviously not an important enough issue for you then to be wasting time on it. And don't tell me you can't afford a laptop - it's not like you need a fancy one to run OpenBSD and ssh on. You can probably buy a used laptop capable of doing that for less than what I spend on toilet paper in a week, considering my ass is really large and I eat lots of bran. -Bob
Re: One time passwords?
On 9/27/05, stan [EMAIL PROTECTED] wrote: I find myself in the position sometimes when away from home having access to only M$ machines with a base OS load only. I don;t have telnet open on my home network, but i was considering opening it up on the OpenbD firewall, and using some sort of one time password scheme. Would this be a sane thing to do? and f so, where cold find some software to support the one time password functionality? turn on httpd and let it serve up copies of putty? If you're working with M$ machines with only a base OS load, they're sure to let you run putty directly off the web -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: One time passwords?
Like S/Key? (man skey) - I've not used it, but my understanding is its one time passwords But why not just load a business card cdrom or something with putty and do ssh. Heck, put it up somewhere so you can download it. On Tue, 27 Sep 2005 21:22:51 -0400 stan [EMAIL PROTECTED] spake: I find myself in the position sometimes when away from home having access to only M$ machines with a base OS load only. I don;t have telnet open on my home network, but i was considering opening it up on the OpenbD firewall, and using some sort of one time password scheme. Would this be a sane thing to do? and f so, where cold find some software to support the one time password functionality? -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967 -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com
Re: One time passwords?
Why?. Why why why why why If you're going to trust the untrusted machine anyway running a virus run-time environment just google for putty, download and run it. I find myself in a similar situation shortly - I'm going to be doing some vacationing in Europe, and will not be able to take my laptop with me (it's not mine, it's my employer's). Hence, if I need to get into any of my networks here (an emergency), I'll have to use said virus-infested public terminals or an internet cafe (some keep very good care of their machines, some are total festering suckholes of vileness). Regardless, I will not be able to trust my machine of origination. In this specific case, I plan on sourcing PuTTY on one of my webservers, and using skey for authentication. For those of you that do more of this than I do, is this a reasonable method of keeping access into my networks as secure as reasonably possible? I don't like the idea of logging in from an unknown host, but I might have to. I'd like to think the above plan is reasonable, but as always, am open to criticism. :) Benny -- Now, that next spring you find in your garage a creature that looks like a cross-bred badger and anaconda. A badgerconda. -- bash.org
Re: One time passwords?
stan wrote: I find myself in the position sometimes when away from home having access to only M$ machines with a base OS load only. I don;t have telnet open on my home network, but i was considering opening it up on the OpenbD firewall, and using some sort of one time password scheme. Would this be a sane thing to do? and f so, where cold find some software to support the one time password functionality? Make a Live CD from OpenBSD and take it with you. Failing that, get a copy of Knoppix. Other than the above, Just say NO!! Ray PS Stan, Sorry about the double msgs.
Re: One time passwords?
That's a fine plan. OTP is kind of tricky to do though, so I recommend you try it a few times before you accidentily lock yourself out. Remember you don't have to disable password logins. You just shouldn't do it from public terminals. # Han
Re: One time passwords?
I don't like the idea of logging in from an unknown host, but I might have to. I'd like to think the above plan is reasonable, but as always, am open to criticism. :) My criticism is as before: have to - versus $99.00 laptop on ebay - if you can't afford that you're either destitute and shouldn'e be travelling, or your notion of have to is seriously fucked up, as compared to your concern about your security. I.E. put on your best Indigo Montoya voice and say: Have to - you keep using those words. I don't think it means what you think it means. If you don't trust the endpoint, no amount of one time passwords, or ssh will save you. You will get keylogged, or followed in, and owned. it's that simple. Why mess around with gymnastics like s/key from an untrusted host instead of solving the real threat to your security? And yes, such laptops exist. http://cgi.ebay.com/Internet-Ready-Compaq-Armada-Laptop-No-Reserve-12_W0QQitemZ6806121193QQcategoryZ31548QQrdZ1QQcmdZViewItem -Bob
Re: One time passwords?
On Tue, Sep 27, 2005 at 09:39:56PM -0500, C. Bensend wrote: Why?. Why why why why why If you're going to trust the untrusted machine anyway running a virus run-time environment just google for putty, download and run it. I find myself in a similar situation shortly - I'm going to be doing some vacationing in Europe, and will not be able to take my laptop with me (it's not mine, it's my employer's). Hence, if I need to get into any of my networks here (an emergency), I'll have to use said virus-infested public terminals or an internet cafe (some keep very good care of their machines, some are total festering suckholes of vileness). Regardless, I will not be able to trust my machine of origination. In this specific case, I plan on sourcing PuTTY on one of my webservers, and using skey for authentication. For those of you that do more of this than I do, is this a reasonable method of keeping access into my networks as secure as reasonably possible? This sounds like a good aproach. Is there some documentation as to how to set this up. -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967
Re: One time passwords?
I don;t have telnet open on my home network, but i was considering opening it up on the OpenbD firewall, and using some sort of one time password scheme. Webmin has a built-in java ssh client. I'd probably just use that. It also has VNC that might let you get to your windows machines. --Bryan
Re: One time passwords?
Have to - you keep using those words. I don't think it means what you think it means. Yes, I know what it means, just as you do. 98% of the time, have to is want to or really want to. I'm using it loosely. And in this situation, the networks I'm talking about are my own, so the biggest risk to me is something crashing, and a few friends do without email for a few days. So, need is overstating. If you don't trust the endpoint, no amount of one time passwords, or ssh will save you. You will get keylogged, or followed in, and owned. it's that simple. Why mess around with gymnastics like s/key from an untrusted host instead of solving the real threat to your security? Keylogging I understand fine... What do you mean by followed in? Honest question - I thought with a one-time challenge like skey, you'd be fairly safe? The man page doesn't mention any such risk, nor does the FAQ. I am completely uneducated on skey, as I've simply never had a need for it before. So, feel free to break out the cluebat and take a swing, Bob. :) Benny -- Now, that next spring you find in your garage a creature that looks like a cross-bred badger and anaconda. A badgerconda. -- bash.org
Re: One time passwords?
If you don't trust the endpoint, no amount of one time passwords, or ssh will save you. You will get keylogged, or followed in, and owned. it's that simple. Why mess around with gymnastics like s/key from an untrusted host instead of solving the real threat to your security? I was in a town in southern Chile, way south.. small little town; about 10 internet cafes around town.. (in some parts of small town Chile, every 2nd business is also an internet cafe) This one place had 8 PC's downstairs, and about 8 upstairs... they had a full-time guy reinstalling Windows on them, because about 1 hour after he was done a machine would be re-infected with all sorts of creepy shit, and after about 8 hours it would become totally unreliable and sluggish to the point where it was causing their customers too much grief... and the reinstall dude would make his rounds again.. And that was a good Internet cafe. In that town, the others were worse. Because they didn't have a guy who reinstalled the machines. And that was machines in southern Chile, with pretty piss-poor network connectivity to them. That is why I travel with a laptop or a Zaurus. I can read mail on using a throw-away email address, and if I need to I can use the Zaurus to do small tasks. Doing it any other way is totally stupid. Or you don't need security and won't have it. And anyone else here who suggested that you could use OTP to solve this is totally clueless.
Re: One time passwords?
Doing it any other way is totally stupid. Or you don't need security and won't have it. And anyone else here who suggested that you could use OTP to solve this is totally clueless. Obviously, I am missing something fundamental. If I use an OTP to log into a remote system via an untrusted host, and I don't type any further passwords in, what exposure am I presenting? An example - I skey into a system, issue a 'sudo blahdeeblah blah' (with no password), and exit. Even if every single packet is being sniffed, how does that expose me? The sniffed skey sequence is useless now, the sudo procedure didn't expose a password, what am I missing? That's all I'm asking about. Honest question. I'll slink back under my rock soon, I promise. :) Benny -- Now, that next spring you find in your garage a creature that looks like a cross-bred badger and anaconda. A badgerconda. -- bash.org
Re: One time passwords?
If I use an OTP to log into a remote system via an untrusted host, and I don't type any further passwords in, what exposure am I presenting? What exactly do you think untrusted means in the phrase untrusted host? Come on, THINK...
Re: One time passwords?
What exactly do you think untrusted means in the phrase untrusted host? That anything and everything will be captured and logged in plain text. That's what _I_ consider untrusted. Everything including the login credentials, but they're a one-time thing. Right? Is that not the case? What am I missing here? This is a very simple question... In the following sequence, where do I go wrong? 1) Log into system via ssh skey, which is a one-time auth method 2) Type 'sudo farfegnugen blahblah yadda' 3) Log out As I understand things, the attackers now have my one-time auth info, which won't work again. Right? They also know I typed 'sudo fargegnugen blahblah yadda'. Neato. And they saw me log out. So, they have an auth string that will not work, a command that won't work unless they can log in as me, and they now know how to log out. I absolutely admit that I'm an idiot when it comes to this. I would just appreciate knowing the flaws in this particular plan. Benny -- Now, that next spring you find in your garage a creature that looks like a cross-bred badger and anaconda. A badgerconda. -- bash.org
Re: One time passwords?
What exactly do you think untrusted means in the phrase untrusted host? That anything and everything will be captured and logged in plain text. That's what _I_ consider untrusted. Everything including the login credentials, but they're a one-time thing. Right? Is that not the case? What am I missing here? This is a very simple question... In the following sequence, where do I go wrong? 1) Log into system via ssh skey, which is a one-time auth method 2) Type 'sudo farfegnugen blahblah yadda' 3) Log out As I understand things, the attackers now have my one-time auth info, which won't work again. Right? They also know I typed 'sudo fargegnugen blahblah yadda'. Neato. And they saw me log out. So, they have an auth string that will not work, a command that won't work unless they can log in as me, and they now know how to log out. I absolutely admit that I'm an idiot when it comes to this. I would just appreciate knowing the flaws in this particular plan. You are trusting that the keylogger does not make the guy show up and take over your one time password session. I can't believe you couldn't see that.
Re: One time passwords?
I don;t have telnet open on my home network, but i was considering opening it up on the OpenbD firewall, and using some sort of one time password scheme. Would this be a sane thing to do? and f so, where cold find some software to support the one time password functionality? Once you log in to your machine the untrusted machine can inject anything it wants into the keyboard stream pretending that you typed it. At that point the flood gates are more or less wide open. It can: 1) destroy any data you have write access to. (eg. delete your $HOME directory tree.) 2) grab sources for an attack program from somewhere on the net, compile them and start them running. (eg. compile up a spam server and send tons of spam from your account.) 3) offer a shell to some remote machine (via opening an active tcp connection to some port on a waiting host). Now I don't think either type of keyboard stream injection attack has happened yet, but it is just a matter of time. -wolfgang
Re: One time passwords?
Theo de Raadt wrote: You are trusting that the keylogger does not make the guy show up and take over your one time password session. I can't believe you couldn't see that. Sounds pretty TheoRaadtical. :-) # Han
