[tac_plus] Problem with TAC_PLUS and S/Key

Patrick Albert | GIP patrick.albert at gip.com
Thu Jan 17 07:52:32 UTC 2013


Thanks a lot for your fast response!

It seems we don't talk about exactly the same thing.

In my opinion, S/Key works as follows:

1) The User opens a telnet session on a NAS, e.g. a router
2) The User enters his username which is forwarded by the NAS to the 
tac_plus server
3) Now the tac_plus creates the challenge string on the basis of a 
random string (seed, salt) and the users password. The challenge string 
looks like "98 seed123".
4) tac_plus sends the challenge string to the NAS where it will be 
forwarded to the users telnet screen.

Example:
Trying 129.105.5.105 ...
Connected to delta.ece.nwu.edu.
Escape character is '^]'.

SunOS UNIX (delta)

login: chris
s/key 98 pe61662
Password:

5) The user calculates locally on the basis of the challenge string 
("s/key [...]") and its password the challenge response. It looks like 
"LILA FEST BONG LOSE TINY WINE" - this is the OTP.
6) The user enters the calculated OTP in the telnet window ("Password: 
") and has now access to the NAS.

The calculation of such a response can be tested at 
http://www.ocf.berkeley.edu/~jjlin/jsotp/

At http://www.ece.northwestern.edu/CSEL/skey/skey_eecs.html, you can 
also find an explanation of this procedure (chapter "Login 
Authentication with S/KEY").

So, I don't understand yet how tac_plus would be able to create such a 
skey challange without the users password.... .

Best regards,
Patrick Albert

Patrick Albert
__________________
*GIP Exyr GmbH*
Hechtsheimer Str. 35-37 | 55131 Mainz

Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web: 
www.gip.com <http://www.gip.com/>

Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
Handelsregister: HRB 6870 - Amtsgericht Mainz

Am 16.01.2013 22:10, schrieb heasley:
> Wed, Jan 16, 2013 at 05:19:27PM +0100, Patrick Albert | GIP:
>> Hello,
>>
>> Like ninjabytes
>> (http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html), I
>> have some trouble with "tac_plus with S/Key". Unfortunately, the
>> documentation about "tac_plus and S/Key" isn't really detailed.
>>
>> The positive aspect:
>> tac_plus 4.0.4.26 works correctly (login on a NAS with cleartext
>> password: Done) and the libskey seems to work as well ("configure [...]
>> --with-skey" and the following "make" without error and the config
>> snippet "login = skey" was accepted while starting tac_plus).
>>
>> I use the following config
>>
>> user = fred {
>>     default service = permit
>>     login = skey
>>     enable = skey
>> }
>>
>> My question is now:
>> When I try to login as "fred" on my NAS, I see the message "Cannot
>> generate skey prompt for fred" in the tac_plus log file. In my opinion,
>> it's no wonder that this doesn't work because there is no password
> this would be skeychallenge() failing.  iirc, that would include the
> challenge number; its been a while since i've tested this or used skey,
> so memory is foggy.
>
>> configued for the user "fred" - and a skey challenge is build on a
>> sequence_no, seed and the users password, right? The user itself can
>> then calculate the response with the challenge string and its password.
> seed?  the password is the OTP, which would be returned after skeychallenge()'s
> return was sent to the device for the prompt.  the question is why
> skeychallenge() fails.  i'd suspect that it can't open or find the OTP
> database.
>
>> So: Where can I enter the user's password for an skey authentication in
>> the tac_plus.conf?
>>
>> Thanks in advance for your help,
>>
>> Best regards,
>>
>> Patrick Albert
>>
>> -- 
>>
>> Patrick Albert
>> __________________
>> *GIP Exyr GmbH*
>> Hechtsheimer Str. 35-37 | 55131 Mainz
>>
>> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
>> E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web:
>> www.gip.com <http://www.gip.com/>
>>
>> Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
>> Handelsregister: HRB 6870 - Amtsgericht Mainz
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130116/82e9e5c6/attachment.html>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


-- 

Patrick Albert
__________________
*GIP Exyr GmbH*
Hechtsheimer Str. 35-37 | 55131 Mainz

Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web: 
www.gip.com <http://www.gip.com/>

Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
Handelsregister: HRB 6870 - Amtsgericht Mainz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130117/e417b4d1/attachment.html>


More information about the tac_plus mailing list