[tac_plus] Problem with TAC_PLUS and S/Key

Patrick Albert | GIP patrick.albert at gip.com
Wed Jan 23 16:35:15 UTC 2013 

Hi,

Thanks for your support!

Finally, everything works fine - but on Debian. On RHEL, it was not 
possible to do the complete S/Key roundtrip - compiling the sources was 
succesful, but the generated skey response has not been accepted.

Kind regards,
Patrick

-- 

Patrick Albert
__________________
*GIP Exyr GmbH*
Hechtsheimer Str. 35-37 | 55131 Mainz

Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web: 
www.gip.com <http://www.gip.com/>

Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
Handelsregister: HRB 6870 - Amtsgericht Mainz

Am 17.01.2013 19:34, schrieb heasley:
> Thu, Jan 17, 2013 at 08:52:32AM +0100, Patrick Albert | GIP:
>> Thanks a lot for your fast response!
>>
>> It seems we don't talk about exactly the same thing.
>>
>> In my opinion, S/Key works as follows:
>>
>> 1) The User opens a telnet session on a NAS, e.g. a router
>> 2) The User enters his username which is forwarded by the NAS to the
>> tac_plus server
>> 3) Now the tac_plus creates the challenge string on the basis of a
>> random string (seed, salt) and the users password. The challenge string
>> looks like "98 seed123".
>> 4) tac_plus sends the challenge string to the NAS where it will be
>> forwarded to the users telnet screen.
>>
>> Example:
>> Trying 129.105.5.105 ...
>> Connected to delta.ece.nwu.edu.
>> Escape character is '^]'.
>>
>> SunOS UNIX (delta)
>>
>> login: chris
>> s/key 98 pe61662
>> Password:
>>
>> 5) The user calculates locally on the basis of the challenge string
>> ("s/key [...]") and its password the challenge response. It looks like
>> "LILA FEST BONG LOSE TINY WINE" - this is the OTP.
>> 6) The user enters the calculated OTP in the telnet window ("Password:
>> ") and has now access to the NAS.
> Ah, the manner that I am familiar with is:
> 1) user creates list of skey passwords and keeps these on-hand and so does the
>     unix box/tacacs host.  instead of this paper list of passwords, the user
>     could have a device or program that computes the hash.
> 2) user opens session to NAS
> 3) user enters username
> 4) receives password prompt with skey index
> 5) user enters password at the index in the list generated in #1 that looks
>     like your OTP example.
>
>> The calculation of such a response can be tested at
>> http://www.ocf.berkeley.edu/~jjlin/jsotp/
>>
>> At http://www.ece.northwestern.edu/CSEL/skey/skey_eecs.html, you can
>> also find an explanation of this procedure (chapter "Login
>> Authentication with S/KEY").
>>
>> So, I don't understand yet how tac_plus would be able to create such a
>> skey challange without the users password.... .
> it has it already from when you initilized the user with (or in) skey; see
> keyinit in the URL above.
>
>> Best regards,
>> Patrick Albert
>>
>> Patrick Albert
>> __________________
>> *GIP Exyr GmbH*
>> Hechtsheimer Str. 35-37 | 55131 Mainz
>>
>> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
>> E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web:
>> www.gip.com <http://www.gip.com/>
>>
>> Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
>> Handelsregister: HRB 6870 - Amtsgericht Mainz
>>
>> Am 16.01.2013 22:10, schrieb heasley:
>>> Wed, Jan 16, 2013 at 05:19:27PM +0100, Patrick Albert | GIP:
>>>> Hello,
>>>>
>>>> Like ninjabytes
>>>> (http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html), I
>>>> have some trouble with "tac_plus with S/Key". Unfortunately, the
>>>> documentation about "tac_plus and S/Key" isn't really detailed.
>>>>
>>>> The positive aspect:
>>>> tac_plus 4.0.4.26 works correctly (login on a NAS with cleartext
>>>> password: Done) and the libskey seems to work as well ("configure [...]
>>>> --with-skey" and the following "make" without error and the config
>>>> snippet "login = skey" was accepted while starting tac_plus).
>>>>
>>>> I use the following config
>>>>
>>>> user = fred {
>>>>      default service = permit
>>>>      login = skey
>>>>      enable = skey
>>>> }
>>>>
>>>> My question is now:
>>>> When I try to login as "fred" on my NAS, I see the message "Cannot
>>>> generate skey prompt for fred" in the tac_plus log file. In my opinion,
>>>> it's no wonder that this doesn't work because there is no password
>>> this would be skeychallenge() failing.  iirc, that would include the
>>> challenge number; its been a while since i've tested this or used skey,
>>> so memory is foggy.
>>>
>>>> configued for the user "fred" - and a skey challenge is build on a
>>>> sequence_no, seed and the users password, right? The user itself can
>>>> then calculate the response with the challenge string and its password.
>>> seed?  the password is the OTP, which would be returned after skeychallenge()'s
>>> return was sent to the device for the prompt.  the question is why
>>> skeychallenge() fails.  i'd suspect that it can't open or find the OTP
>>> database.
>>>
>>>> So: Where can I enter the user's password for an skey authentication in
>>>> the tac_plus.conf?
>>>>
>>>> Thanks in advance for your help,
>>>>
>>>> Best regards,
>>>>
>>>> Patrick Albert
>>>>
>>>> -- 
>>>>
>>>> Patrick Albert
>>>> __________________
>>>> *GIP Exyr GmbH*
>>>> Hechtsheimer Str. 35-37 | 55131 Mainz
>>>>
>>>> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
>>>> E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web:
>>>> www.gip.com <http://www.gip.com/>
>>>>
>>>> Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
>>>> Handelsregister: HRB 6870 - Amtsgericht Mainz
>>>>
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130116/82e9e5c6/attachment.html>
>>>> _______________________________________________
>>>> tac_plus mailing list
>>>> tac_plus at shrubbery.net
>>>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>> -- 
>>
>> Patrick Albert
>> __________________
>> *GIP Exyr GmbH*
>> Hechtsheimer Str. 35-37 | 55131 Mainz
>>
>> Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
>> E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web:
>> www.gip.com <http://www.gip.com/>
>>
>> Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
>> Handelsregister: HRB 6870 - Amtsgericht Mainz
>>


-- 

Patrick Albert
__________________
*GIP Exyr GmbH*
Hechtsheimer Str. 35-37 | 55131 Mainz

Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
E-Mail: patrick.albert at gip.com <mailto:patrick.albert at gip.com> | Web: 
www.gip.com <http://www.gip.com/>

Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
Handelsregister: HRB 6870 - Amtsgericht Mainz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130123/f5003d9c/attachment.html>

More information about the tac_plus mailing list