Hello, > jhubbard@wafer-> ssh [EMAIL PROTECTED] > otp-md5 114 wi7854 ext > S/Key Password: > otp-md5 117 wi5044 ext > S/Key Password: > otp-md5 397 wi0652 ext > S/Key Password: > [EMAIL PROTECTED]'s password:
If anyone is concerned about revealing too much information on valid/invalid OTP login names through S/Key or OPIE fake challanges, here is a proof of concept of a much better stateless fake challenge generator. It shouldn't be possible to distuingish valid from invalid OTP login names by just giving a few login attempts. It would not last a statistical analysis, but that many failed login attempts should show up in the logs and raise an alert condition. -Björn =========================================== #!/usr/bin/perl -w # # It should not be important to have two distinct secrets # my $secret1 = "Soylent Green is human!"; my $secret2 = "Komm suesser Tod (BWV 471)"; # # The sequence number should not drop beyond 3, since the user needs # a sequence number to reset the counter. # my $init_seq = 499; my $min_seq = 2; my $max_seq = $init_seq - $min_seq; # # get_fake_challenge(const char *login, time_t esec) # # This subroutine computes a sufficiently good fake sequence # for a given login name and a date. # sub get_fake_challenge { my ($login, $esec) = @_; # # Assuming, a user logs in a few times a day, we have to use a login # schedule, that is constant (but different) for each user. # my $lognums = 2 + (hex substr(`md5 -q -s "$login$secret1"`, 0, 1)) % 7; my $delta = int (($esec / ((24 * 60 * 60) / $lognums)) / $max_seq); # # Compute seed and sequence number # my $seed = `md5 -q -s "$delta$login$secret2"`; chomp $seed; my $seq = $init_seq - ((int ($esec / ((24 * 60 * 60) / $lognums))) % $max_seq); return ($seq, $seed); } # # testcase # my $testlogin = "nouser"; $i = 1; for ($date = 1016265366; $date < 1226000000; $date += 1) { ($seq, $seed) = get_fake_challenge ("nouser", $date); ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime($date); printf ("%02u.%02u.%04u %02u:%02u:%02u (%03u, %s)\n", $mday+1, $mon, $year+1900, $hour, $min, $sec, $seq, $seed); if (!($i++ % 40)) { $i = 1; print "Press [RETURN]."; <>; } } To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message