<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-15">
</head>
<body>
<div bgcolor="#ffffff" text="#222222" style="font-family: Arial;
font-size: 11pt;">
Hi,<br>
<br>
Thanks for your support! <br>
<br>
Finally, everything works fine - but on Debian. On RHEL, it was
not possible to do the complete S/Key roundtrip - compiling the
sources was succesful, but the generated skey response has not
been accepted. <br>
<br>
Kind regards,<br>
Patrick<br>
</div>
<div class="moz-cite-prefix"><br>
-- <br>
<div class="moz-signature">
<p><font face="Tahoma, sans-serif"><font style="font-size: 9pt"
size="2">
Patrick Albert<br>
__________________<br>
<b>GIP Exyr GmbH</b><br>
Hechtsheimer Str. 35-37 | 55131 Mainz</font></font> </p>
<p><font color="#595959"><font face="Tahoma, sans-serif"><font
style="font-size: 9pt" size="2">
Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 /
80124 - 24<br>
E-Mail: <a href="mailto:patrick.albert@gip.com"
class="external text"
title="mailto:patrick.albert@gip.com" rel="nofollow">patrick.albert@gip.com</a>
| Web: <a href="http://www.gip.com/" class="external
text" title="http://www.gip.com/" rel="nofollow">www.gip.com</a></font></font></font>
</p>
<p><font color="#595959"><font face="Tahoma, sans-serif"><font
style="font-size: 9pt" size="2">
Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander
Ebbes<br>
Handelsregister: HRB 6870 - Amtsgericht Mainz
</font></font></font> </p>
</div>
Am 17.01.2013 19:34, schrieb heasley:<br>
</div>
<blockquote class=" cite"
id="mid_20130117183405_GE63214_shrubbery_net"
cite="mid:20130117183405.GE63214@shrubbery.net" type="cite">
<pre wrap="">Thu, Jan 17, 2013 at 08:52:32AM +0100, Patrick Albert | GIP:
</pre>
<blockquote class=" cite" id="Cite_0" type="cite">
<pre wrap="">Thanks a lot for your fast response!
It seems we don't talk about exactly the same thing.
In my opinion, S/Key works as follows:
1) The User opens a telnet session on a NAS, e.g. a router
2) The User enters his username which is forwarded by the NAS to the
tac_plus server
3) Now the tac_plus creates the challenge string on the basis of a
random string (seed, salt) and the users password. The challenge string
looks like "98 seed123".
4) tac_plus sends the challenge string to the NAS where it will be
forwarded to the users telnet screen.
Example:
Trying 129.105.5.105 ...
Connected to delta.ece.nwu.edu.
Escape character is '^]'.
SunOS UNIX (delta)
login: chris
s/key 98 pe61662
Password:
5) The user calculates locally on the basis of the challenge string
("s/key [...]") and its password the challenge response. It looks like
"LILA FEST BONG LOSE TINY WINE" - this is the OTP.
6) The user enters the calculated OTP in the telnet window ("Password:
") and has now access to the NAS.
</pre>
</blockquote>
<pre wrap="">Ah, the manner that I am familiar with is:
1) user creates list of skey passwords and keeps these on-hand and so does the
unix box/tacacs host. instead of this paper list of passwords, the user
could have a device or program that computes the hash.
2) user opens session to NAS
3) user enters username
4) receives password prompt with skey index
5) user enters password at the index in the list generated in #1 that looks
like your OTP example.
</pre>
<blockquote class=" cite" id="Cite_1" type="cite">
<pre wrap="">The calculation of such a response can be tested at
<a class="moz-txt-link-freetext" href="http://www.ocf.berkeley.edu/~jjlin/jsotp/">http://www.ocf.berkeley.edu/~jjlin/jsotp/</a>
At <a class="moz-txt-link-freetext" href="http://www.ece.northwestern.edu/CSEL/skey/skey_eecs.html">http://www.ece.northwestern.edu/CSEL/skey/skey_eecs.html</a>, you can
also find an explanation of this procedure (chapter "Login
Authentication with S/KEY").
So, I don't understand yet how tac_plus would be able to create such a
skey challange without the users password.... .
</pre>
</blockquote>
<pre wrap="">it has it already from when you initilized the user with (or in) skey; see
keyinit in the URL above.
</pre>
<blockquote class=" cite" id="Cite_2" type="cite">
<pre wrap="">Best regards,
Patrick Albert
Patrick Albert
__________________
*GIP Exyr GmbH*
Hechtsheimer Str. 35-37 | 55131 Mainz
Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:patrick.albert@gip.com">patrick.albert@gip.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:patrick.albert@gip.com"><mailto:patrick.albert@gip.com></a> | Web:
<a class="moz-txt-link-abbreviated" href="http://www.gip.com">www.gip.com</a> <a class="moz-txt-link-rfc2396E" href="http://www.gip.com/"><http://www.gip.com/></a>
Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
Handelsregister: HRB 6870 - Amtsgericht Mainz
Am 16.01.2013 22:10, schrieb heasley:
</pre>
<blockquote class=" cite" id="Cite_3" type="cite">
<pre wrap="">Wed, Jan 16, 2013 at 05:19:27PM +0100, Patrick Albert | GIP:
</pre>
<blockquote class=" cite" id="Cite_4" type="cite">
<pre wrap="">Hello,
Like ninjabytes
(<a class="moz-txt-link-freetext" href="http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html">http://www.shrubbery.net/pipermail/tac_plus/2007-June/000097.html</a>), I
have some trouble with "tac_plus with S/Key". Unfortunately, the
documentation about "tac_plus and S/Key" isn't really detailed.
The positive aspect:
tac_plus 4.0.4.26 works correctly (login on a NAS with cleartext
password: Done) and the libskey seems to work as well ("configure [...]
--with-skey" and the following "make" without error and the config
snippet "login = skey" was accepted while starting tac_plus).
I use the following config
user = fred {
default service = permit
login = skey
enable = skey
}
My question is now:
When I try to login as "fred" on my NAS, I see the message "Cannot
generate skey prompt for fred" in the tac_plus log file. In my opinion,
it's no wonder that this doesn't work because there is no password
</pre>
</blockquote>
<pre wrap="">this would be skeychallenge() failing. iirc, that would include the
challenge number; its been a while since i've tested this or used skey,
so memory is foggy.
</pre>
<blockquote class=" cite" id="Cite_5" type="cite">
<pre wrap="">configued for the user "fred" - and a skey challenge is build on a
sequence_no, seed and the users password, right? The user itself can
then calculate the response with the challenge string and its password.
</pre>
</blockquote>
<pre wrap="">seed? the password is the OTP, which would be returned after skeychallenge()'s
return was sent to the device for the prompt. the question is why
skeychallenge() fails. i'd suspect that it can't open or find the OTP
database.
</pre>
<blockquote class=" cite" id="Cite_6" type="cite">
<pre wrap="">So: Where can I enter the user's password for an skey authentication in
the tac_plus.conf?
Thanks in advance for your help,
Best regards,
Patrick Albert
--
Patrick Albert
__________________
*GIP Exyr GmbH*
Hechtsheimer Str. 35-37 | 55131 Mainz
Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:patrick.albert@gip.com">patrick.albert@gip.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:patrick.albert@gip.com"><mailto:patrick.albert@gip.com></a> | Web:
<a class="moz-txt-link-abbreviated" href="http://www.gip.com">www.gip.com</a> <a class="moz-txt-link-rfc2396E" href="http://www.gip.com/"><http://www.gip.com/></a>
Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
Handelsregister: HRB 6870 - Amtsgericht Mainz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <a class="moz-txt-link-rfc2396E" href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20130116/82e9e5c6/attachment.html"><http://www.shrubbery.net/pipermail/tac_plus/attachments/20130116/82e9e5c6/attachment.html></a>
_______________________________________________
tac_plus mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a>
<a class="moz-txt-link-freetext" href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a>
</pre>
</blockquote>
</blockquote>
<pre wrap="">
--
Patrick Albert
__________________
*GIP Exyr GmbH*
Hechtsheimer Str. 35-37 | 55131 Mainz
Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124 - 24
E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:patrick.albert@gip.com">patrick.albert@gip.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:patrick.albert@gip.com"><mailto:patrick.albert@gip.com></a> | Web:
<a class="moz-txt-link-abbreviated" href="http://www.gip.com">www.gip.com</a> <a class="moz-txt-link-rfc2396E" href="http://www.gip.com/"><http://www.gip.com/></a>
Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander Ebbes
Handelsregister: HRB 6870 - Amtsgericht Mainz
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<p><font face="Tahoma, sans-serif"><font style="font-size: 9pt"
size="2">
Patrick Albert<br>
__________________<br>
<b>GIP Exyr GmbH</b><br>
Hechtsheimer Str. 35-37 | 55131 Mainz</font></font> </p>
<p><font color="#595959"><font face="Tahoma, sans-serif"><font
style="font-size: 9pt" size="2">
Tel: +49 (0) 6131 / 80124 - 27 | Fax: +49 (0) 6131 / 80124
- 24<br>
E-Mail: <a href="mailto:patrick.albert@gip.com"
class="external text"
title="mailto:patrick.albert@gip.com" rel="nofollow">patrick.albert@gip.com</a>
| Web: <a href="http://www.gip.com/" class="external
text" title="http://www.gip.com/" rel="nofollow">www.gip.com</a></font></font></font>
</p>
<p><font color="#595959"><font face="Tahoma, sans-serif"><font
style="font-size: 9pt" size="2">
Geschäftsführer: Dr. Bernd Reifenhäuser, Dr. Alexander
Ebbes<br>
Handelsregister: HRB 6870 - Amtsgericht Mainz
</font></font></font> </p>
</div>
</body>
</html>