>If I had a user community that was 100% dead set against any sort of
>one-time passwords, since they do lots and lots of logins every day over an
>internal net, and yet they occasionally do logins from remote (confusing
>enough... it's my fault), would the following scenario work?
>2) A telnetd which ran either a normal, reusable password login if the
>connection was coming from an internal net, or an S/Key-type login if the
>connection was coming from an external net.
Nothing wrong with it so long as the router is properly protected
and you are only worried about intruders logging in, not that they
might intercept your traffic.
The trouble you get into is that to go from the telnetd node to any other node,
they will still be sending a cleartext login/password.
However, if they will accept S/Key, why not a token such as Enigma-Logic,
Security Dynamics, or Secure Computing ? Or even a software OTP ? Much easier