<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-15">
</head>
<body>
<div bgcolor="#ffffff" text="#222222" style="font-family: Arial;
font-size: 11pt;">
Thanks a lot for your fast response!<br>
<br>
It seems we don't talk about exactly the same thing. <br>
<br>
In my opinion, S/Key works as follows:<br>
<br>
1) The User opens a telnet session on a NAS, e.g. a router<br>
2) The User enters his username which is forwarded by the NAS to
the tac_plus server<br>
3) Now the tac_plus creates the challenge string on the basis of a
random string (seed, salt) and the users password. The challenge
string looks like "98 seed123". <br>
4) tac_plus sends the challenge string to the NAS where it will be
forwarded to the users telnet screen. <br>
<br>
Example:<br>
<font face="Courier New, Courier, monospace">Trying 129.105.5.105
...<br>
Connected to delta.ece.nwu.edu.<br>
Escape character is '^]'.<br>
<br>
SunOS UNIX (delta)<br>
<br>
login: chris<br>
s/key 98 pe61662<br>
Password:</font><br>
<br>
5) The user calculates locally on the basis of the challenge
string ("s/key [...]") and its password the challenge response. It
looks like "LILA FEST BONG LOSE TINY WINE" - this is the OTP. <br>
6) The user enters the calculated OTP in the telnet window
("Password: ") and has now access to the NAS.<br>
<br>
The calculation of such a response can be tested at
<a class="moz-txt-link-freetext" href="http://www.ocf.berkeley.edu/~jjlin/jsotp/">http://www.ocf.berkeley.edu/~jjlin/jsotp/</a><br>
<br>
At <a class="moz-txt-link-freetext" href="http://www.ece.northwestern.edu/CSEL/skey/skey_eecs.html">http://www.ece.northwestern.edu/CSEL/skey/skey_eecs.html</a>, you
can also find an explanation of this procedure (chapter "Login
Authentication with S/KEY"). <br>
<br>
So, I don't understand yet how tac_plus would be able to create
such a skey challange without the users password.... . <br>
<br>
Best regards,<br>
Patrick Albert<br>
</div>
<div class="moz-cite-prefix"><br>
<div class="moz-signature">
<p><font face="Tahoma, sans-serif"><font style="font-size: 9pt"
size="2">
Patrick Albert<br>
__________________<br>
<b>GIP Exyr GmbH</b><br>
Hechtsheimer Str. 35-37 | 55131 Mainz</font></font> </p>
<p><font color="#595959"><font face="Tahoma, sans-serif"><font
style="font-size: 9pt" size="2">
Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 /
80124 - 24<br>
E-Mail: <a href="mailto:patrick.albert@gip.com"
class="external text"
title="mailto:patrick.albert@gip.com" rel="nofollow">patrick.albert@gip.com</a>
| Web: <a href="http://www.gip.com/" class="external
text" title="http://www.gip.com/" rel="nofollow">www.gip.com</a></font></font></font>
</p>
<p><font color="#595959"><font face="Tahoma, sans-serif"><font
style="font-size: 9pt" size="2">
Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander
Ebbes<br>
Handelsregister: HRB 6870 - Amtsgericht Mainz
</font></font></font> </p>
</div>
Am 16.01.2013 22:10, schrieb heasley:<br>
</div>
<blockquote class=" cite"
id="mid_20130116211030_GH12528_shrubbery_net"
cite="mid:20130116211030.GH12528@shrubbery.net" type="cite">
<pre wrap="">Wed, Jan 16, 2013 at 05:19:27PM +0100, Patrick Albert | GIP:
</pre>
<blockquote class=" cite" id="Cite_0" type="cite">
<pre wrap="">Hello,
Like ninjabytes
(<a class="moz-txt-link-freetext" href="http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html">http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html</a>), I
have some trouble with "tac_plus with S/Key". Unfortunately, the
documentation about "tac_plus and S/Key" isn't really detailed.
The positive aspect:
tac_plus 4.0.4.26 works correctly (login on a NAS with cleartext
password: Done) and the libskey seems to work as well ("configure [...]
--with-skey" and the following "make" without error and the config
snippet "login = skey" was accepted while starting tac_plus).
I use the following config
user = fred {
default service = permit
login = skey
enable = skey
}
My question is now:
When I try to login as "fred" on my NAS, I see the message "Cannot
generate skey prompt for fred" in the tac_plus log file. In my opinion,
it's no wonder that this doesn't work because there is no password
</pre>
</blockquote>
<pre wrap="">this would be skeychallenge() failing. iirc, that would include the
challenge number; its been a while since i've tested this or used skey,
so memory is foggy.
</pre>
<blockquote class=" cite" id="Cite_1" type="cite">
<pre wrap="">configued for the user "fred" - and a skey challenge is build on a
sequence_no, seed and the users password, right? The user itself can
then calculate the response with the challenge string and its password.
</pre>
</blockquote>
<pre wrap="">seed? the password is the OTP, which would be returned after skeychallenge()'s
return was sent to the device for the prompt. the question is why
skeychallenge() fails. i'd suspect that it can't open or find the OTP
database.
</pre>
<blockquote class=" cite" id="Cite_2" type="cite">
<pre wrap="">So: Where can I enter the user's password for an skey authentication in
the tac_plus.conf?
Thanks in advance for your help,
Best regards,
Patrick Albert
--
Patrick Albert
__________________
*GIP Exyr GmbH*
Hechtsheimer Str. 35-37 | 55131 Mainz
Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:patrick.albert@gip.com">patrick.albert@gip.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:patrick.albert@gip.com"><mailto:patrick.albert@gip.com></a> | Web:
<a class="moz-txt-link-abbreviated" href="http://www.gip.com">www.gip.com</a> <a class="moz-txt-link-rfc2396E" href="http://www.gip.com/"><http://www.gip.com/></a>
Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
Handelsregister: HRB 6870 - Amtsgericht Mainz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <a class="moz-txt-link-rfc2396E" href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20130116/82e9e5c6/attachment.html"><http://www.shrubbery.net/pipermail/tac_plus/attachments/20130116/82e9e5c6/attachment.html></a>
_______________________________________________
tac_plus mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a>
<a class="moz-txt-link-freetext" href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<p><font face="Tahoma, sans-serif"><font style="font-size: 9pt"
size="2">
Patrick Albert<br>
__________________<br>
<b>GIP Exyr GmbH</b><br>
Hechtsheimer Str. 35-37 | 55131 Mainz</font></font> </p>
<p><font color="#595959"><font face="Tahoma, sans-serif"><font
style="font-size: 9pt" size="2">
Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124
- 24<br>
E-Mail: <a href="mailto:patrick.albert@gip.com"
class="external text"
title="mailto:patrick.albert@gip.com" rel="nofollow">patrick.albert@gip.com</a>
| Web: <a href="http://www.gip.com/" class="external
text" title="http://www.gip.com/" rel="nofollow">www.gip.com</a></font></font></font>
</p>
<p><font color="#595959"><font face="Tahoma, sans-serif"><font
style="font-size: 9pt" size="2">
Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander
Ebbes<br>
Handelsregister: HRB 6870 - Amtsgericht Mainz
</font></font></font> </p>
</div>
</body>
</html>