Emergency! Need single use passwords!
-----BEGIN PGP SIGNED MESSAGE----- Hi all. We discovered that someone has been running a packet sniffer on our subnet of several dozen computers. He has all the passwords. This is my chance to try to get single use password login programs installed here. Please give me recomendations and ftp locations. Thanks. - ---------------------------------------------------------- Lance Cottrell who does not speak for CASS/UCSD loki@nately.ucsd.edu PGP 2.6 key available by finger or server. "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche - ---------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLu5mUFVkk3dax7hlAQGP9gP8DB5WGmLQsSR6AGPTKkPMOqyAew+NDsiE ftwsDXJV2ijZfabkY+2V84ea4lDLku7BPmz+5p4gI7E2ezDFHgJ/bQ/cDspsjZoO EzmqiJqJGkCNggFdKzD29jsU1v+icZEdMOuwGZ7rMKEAfCtBCmT9X8Uvk4q7S+YO udLS1eGddAY= =7gbf -----END PGP SIGNATURE-----
I highly recommend Kerberos. It is available via anonymous ftp from athena-dist.mit.edu:/pub/ATHENA/kerberos (I believe -- they've changed the site around recently). Alternatively you can get CNS from Cygnus Support, which is a more up-to-date Kerberos release. NOTE: Kerberos is a network authentication system based upon DES and a secure server. It requires that the Kerberos server remain secure, but that tends not to be too much of a problem if you have some machine that you can lock away in a machine room somewhere. No useful information is sent over the net in clear-text, so it solves your sniffer problem as well. Hope this helps. -derek
| Hi all. We discovered that someone has been | running a packet sniffer on our subnet of several | dozen computers. He has all the passwords. | This is my chance to try to get single use password | login programs installed here. Please give me recomendations | and ftp locations. S/Key is a very nice software only solution (no smart cards). It has clients for Mac, PC, Unix, and supports paper lists as well. Can be configured to only be invoked if the connection is from outside your net. ftp.win.tue.nl:/pub/security/logdaemon.tar.Z In quick reply to Derek's suggestion of Kerberos, I will point out that Kerberos does not deal well with remote users. As far as I know, you need a special connection mechanisim or your password will travel in the clear to the boundary of your keberized network. (There is Kerberos support for S/key, there may be telnet programs. There is no paper list or palmtop support.) Adam If you're interested, I can mail you the intro to S/Key sent to our user community. It covers S/key and PGP, since we have users all over the globe. -- "It is seldom that liberty of any kind is lost all at once." -Hume
participants (4)
-
Adam Shostack -
Cyber City -
Derek Atkins -
loki@nately.UCSD.EDU