FIRST: Neither of these information leakage issues is a security bug in itself. Both S/Key and OpenSSH are secure even with this issue. However, this information leakage may assist a hostile attacker. General S/Key Information Leakage: As is commonly known, the S/Key (and OPIE) one-time password system will send the user a challenge string. This string is provided after the username is entered. The string looks like: otp-md5 98 indi26401 This string will tell you several things: 1) What hash algorithm is being used (in this case, md5). Because some hash algorithms are weaker then others, this will help an attacker determine which accounts to attempt to attack. 2) The "indi26401" is a "seed" value. If this seed changes, then it is clear that the user has changed the passphrase that S/Key uses to generate one time passwords. 3) The "98" indicates that S/Key is expecting password #98. By watching this number, it is possible to determine a user's login frequency. By watching it at different times in the day, the user's habits can be determined. Note that in an S/Key enabled system, "su" also uses S/Key passwords for root, which helps an attacker know when the system administrators are maintaining the system (and when they are on vacation...). OpenSSH & S/Key Implementation Problems There are some bad implementations of S/Key in client programs. OpenSSH (at least on OpenBSD 2.9) is one such bad implementation. OpenSSH only provides this challenge string if (1) the user exists and (2) the user is using one-time-passwords. Otherwise, it simply asks for a password (or "hangs up" on the remote client if reusable passwords are not allowed). Obviously, in an environment where one-time-passwords are required, provides an easy way of finding out usernames. FIXES: - If S/Key passwords are used at all, "fake" challenge strings should be printed whenever a real challenge string is not available. OPIE does this right. - Unfortunately, much of the information leakage can not be helped. It would be trivial to prevent display of the hash algorithm used, but that would provide very little security - the real threat is the sequence number, as it lets an attacker profile a system. The sequence number is required as it is used when precomputed password lists are used. - OpenSSH and other programs often monitor failed logins. Reviewing your logs will alert you to this type of activity. However, once alerted, your options are very limited - either disconnect your system from the network or allow yourself to continue to be probed! (you might block offenders' IP addresses, but that will be difficult as offenders usually have a large number of IPs to come from) -- Joel Maslak
