[tac_plus] Problem with TAC_PLUS and S/Key

heasley heas at shrubbery.net
Thu Jan 17 18:34:05 UTC 2013


Thu, Jan 17, 2013 at 08:52:32AM +0100, Patrick Albert | GIP:
> Thanks a lot for your fast response!
> 
> It seems we don't talk about exactly the same thing.
> 
> In my opinion, S/Key works as follows:
> 
> 1) The User opens a telnet session on a NAS, e.g. a router
> 2) The User enters his username which is forwarded by the NAS to the 
> tac_plus server
> 3) Now the tac_plus creates the challenge string on the basis of a 
> random string (seed, salt) and the users password. The challenge string 
> looks like "98 seed123".
> 4) tac_plus sends the challenge string to the NAS where it will be 
> forwarded to the users telnet screen.
> 
> Example:
> Trying 129.105.5.105 ...
> Connected to delta.ece.nwu.edu.
> Escape character is '^]'.
> 
> SunOS UNIX (delta)
> 
> login: chris
> s/key 98 pe61662
> Password:
> 
> 5) The user calculates locally on the basis of the challenge string 
> ("s/key [...]") and its password the challenge response. It looks like 
> "LILA FEST BONG LOSE TINY WINE" - this is the OTP.
> 6) The user enters the calculated OTP in the telnet window ("Password: 
> ") and has now access to the NAS.

Ah, the manner that I am familiar with is:
1) user creates list of skey passwords and keeps these on-hand and so does the
   unix box/tacacs host.  instead of this paper list of passwords, the user
   could have a device or program that computes the hash.
2) user opens session to NAS
3) user enters username
4) receives password prompt with skey index
5) user enters password at the index in the list generated in #1 that looks
   like your OTP example.

> The calculation of such a response can be tested at 
> http://www.ocf.berkeley.edu/~jjlin/jsotp/
> 
> At http://www.ece.northwestern.edu/CSEL/skey/skey_eecs.html, you can 
> also find an explanation of this procedure (chapter "Login 
> Authentication with S/KEY").
> 
> So, I don't understand yet how tac_plus would be able to create such a 
> skey challange without the users password.... .

it has it already from when you initilized the user with (or in) skey; see
keyinit in the URL above.

> Best regards,
> Patrick Albert
> 
> Patrick Albert
> __________________
> *GIP Exyr GmbH*
> Hechtsheimer Str. 35-37 | 55131 Mainz
> 
> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
> E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web: 
> www.gip.com <http://www.gip.com/>
> 
> Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
> Handelsregister: HRB 6870 - Amtsgericht Mainz
> 
> Am 16.01.2013 22:10, schrieb heasley:
> > Wed, Jan 16, 2013 at 05:19:27PM +0100, Patrick Albert | GIP:
> >> Hello,
> >>
> >> Like ninjabytes
> >> (http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html), I
> >> have some trouble with "tac_plus with S/Key". Unfortunately, the
> >> documentation about "tac_plus and S/Key" isn't really detailed.
> >>
> >> The positive aspect:
> >> tac_plus 4.0.4.26 works correctly (login on a NAS with cleartext
> >> password: Done) and the libskey seems to work as well ("configure [...]
> >> --with-skey" and the following "make" without error and the config
> >> snippet "login = skey" was accepted while starting tac_plus).
> >>
> >> I use the following config
> >>
> >> user = fred {
> >>     default service = permit
> >>     login = skey
> >>     enable = skey
> >> }
> >>
> >> My question is now:
> >> When I try to login as "fred" on my NAS, I see the message "Cannot
> >> generate skey prompt for fred" in the tac_plus log file. In my opinion,
> >> it's no wonder that this doesn't work because there is no password
> > this would be skeychallenge() failing.  iirc, that would include the
> > challenge number; its been a while since i've tested this or used skey,
> > so memory is foggy.
> >
> >> configued for the user "fred" - and a skey challenge is build on a
> >> sequence_no, seed and the users password, right? The user itself can
> >> then calculate the response with the challenge string and its password.
> > seed?  the password is the OTP, which would be returned after skeychallenge()'s
> > return was sent to the device for the prompt.  the question is why
> > skeychallenge() fails.  i'd suspect that it can't open or find the OTP
> > database.
> >
> >> So: Where can I enter the user's password for an skey authentication in
> >> the tac_plus.conf?
> >>
> >> Thanks in advance for your help,
> >>
> >> Best regards,
> >>
> >> Patrick Albert
> >>
> >> -- 
> >>
> >> Patrick Albert
> >> __________________
> >> *GIP Exyr GmbH*
> >> Hechtsheimer Str. 35-37 | 55131 Mainz
> >>
> >> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
> >> E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web:
> >> www.gip.com <http://www.gip.com/>
> >>
> >> Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
> >> Handelsregister: HRB 6870 - Amtsgericht Mainz
> >>
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130116/82e9e5c6/attachment.html>
> >> _______________________________________________
> >> tac_plus mailing list
> >> tac_plus at shrubbery.net
> >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> 
> 
> -- 
> 
> Patrick Albert
> __________________
> *GIP Exyr GmbH*
> Hechtsheimer Str. 35-37 | 55131 Mainz
> 
> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
> E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web: 
> www.gip.com <http://www.gip.com/>
> 
> Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
> Handelsregister: HRB 6870 - Amtsgericht Mainz
> 


More information about the tac_plus mailing list