Firewalls: Re: s/key whine...

Firewalls
(August 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: s/key whine...
From:	John Hawkinson <jhawk @ panix . com>
Date:	Wed, 10 Aug 1994 09:04:04 -0400 (EDT)
To:	hobbit @ bronze . lcs . mit . edu (Hobbit)
Cc:	firewalls @ greatcircle . com, skey-users @ thumper . bellcore . com
In-reply-to:	<199408100829 . EAA08701 @ bronze . lcs . mit . edu> from "Hobbit" at Aug 10, 94 04:29:00 am

> From: hobbit @
 bronze .
 lcs .
 mit .
 edu (*Hobbit*)
> To: firewalls @
 greatcircle .
 com

This doesn't belong on firewalls, but rather on skey-users.
Please don't cc firewalls on replies.

> The various versions of s/key I've found around the net seem to boil
> down to two rather divergent sources, and now Mjr is putting in his
> own hacks.  There are a mess of hacks I want to put in, too, and I'm
> getting really frustrated trying to figure out what the "right"
> starting source is, and whether the login and/or ftpd contained
> therein is worth a hoot.

It seems that there are right now three major splinter versions:

	1) The original s/key from thumper, /pub/nmh; this is clearly
	a fine version to start with, but has various problems,
	nonportabilities, etc.

	2) Scott Chasin's various hacks from crimelab.com; much of these
	seem OK, however Scott seems to be unable to stay on the net for
	long periods of time, and I've heard nothing about the beta version
	that was so hyped back a few months ago; certain versions have also
	disappeared from anon ftp, ominously.

	3) NRL (Ran Atkinson et al)'s modified version of s/key which also
	supports MD5, is freely exportable, and is based on 1)
	(so is essentially a newer version of 1)). This also contains
	Marcus' hacks. Get this from thumper in /pub/nmh/nrl.

There's also a minor splinter, which I haven't looked at closely:

	NetBSD supports skey out of the box, however all of the key programs
	are renamed to skey (key to skey, keyinit to skeyinit, etc.).
	NetBSD's login supports skey auth if you enter "s/key" in the password
	field. Like so:

		NetBSD/i386 (zorkmid.gue.org) (ttyp0)
		
		login: jhawk
		Password:
		[s/key 992 zork42220]
		Response: 

Out of these, I would recommend using the NRL version.

> And I still can't find the "automatic" DOS client.

It's on thumper in nmh/dos/termkey.exe;

> Am I just being dense, or is the whole thing really in a bit of a
> shambles?

Yes :-)

> This *is* firewalls-relevant, because I see s/key as one of several
> interesting ways for authorized people to punch small holes in their
> own defenses from the outside so they can "call home" securely...

Perhaps, but its far more skey-relevant, and really discusses specific gripes
w/ skey rather than firewalls per se, and as such should be discussed on the
s/key list.

--
John Hawkinson
jhawk @
 panix .
 com

References:

s/key whine...
From: hobbit @ bronze . lcs . mit . edu (*Hobbit*)

Indexed By Date	Previous:	Re: IRIX 5.2 Security Advisory From: "Perry E. Metzger" <perry @ imsi . com>
Indexed By Date	Next:	Re: Right firewall platform From: Christopher Davis <ckd @ loiosh . kei . com>
Indexed By Thread	Previous:	s/key whine... From: hobbit @ bronze . lcs . mit . edu (Hobbit)
Indexed By Thread	Next:	Re[2]: s/key whine... From: "Kenneth Aveirls" <KAVEIRLS @ PHSATL . SSW . DHHS . GOV>