> OK, it's time for another hypothetical situation...
> If I had a user community that was 100% dead set against any sort of
> one-time passwords, since they do lots and lots of logins every day over an
> internal net, and yet they occasionally do logins from remote (confusing
> enough... it's my fault), would the following scenario work?
> 1) Router on the link to the outside world, dropping all spoofed packets
> (src = (internal-net, loopback, 192.whatever, etc.).
> 2) A telnetd which ran either a normal, reusable password login if the
> connection was coming from an internal net, or an S/Key-type login if the
> connection was coming from an external net.
> The modification to telnetd seems trivial, and it would mean the best of
> both worlds: they get their one password for day-to-day use, and I get the
> no-reusable-passwords-over-the-net peace of mind.
> I'm certain that it couldn't be this simple, but I can't see anything wrong
> with it.
I'm a very happy user (disclaimer: and reseller!) of a new product that
does exactly what you discribe: I use my reusable password when I log
in at my station, but on the road I'm coming from outside the "trusted
network", and so am forced to use my (SNK-like) Cryptocard token.
(SecureID and S-Key are also supported). Unfortunately for most readers
of this forum, the product, Secure/IP from TGV, Inc., runs only on
However, since it has the features you want, why not call TGV (+1 408
457 5200, or in the U.S. (800) TGV 3440) and buy the documentation? A
quick read will expose many issues you'll want to deal with as you hack
"Steve" Stephen L. Arnold, Ph.D., President, Arnold Consulting, Inc.
Address 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A.
Telephone +1 608 278 7700 Facsimile +1 608 278 7701
Internet Stephen .
Com Pager (800) 351 8927