1994-12-14 - Re: Emergency! Need single use passwords!

Header Data

From: Adam Shostack <adam@bwh.harvard.edu>
To: loki@nately.UCSD.EDU (Lance Cottrell)
Message Hash: 25c37bd0ab69022e8660cfbad55e2a0624ce35e8143ecd65cd8051072de9398a
Message ID: <199412140410.XAA16407@bwh.harvard.edu>
Reply To: <9412140329.AA27612@nately.UCSD.EDU>
UTC Datetime: 1994-12-14 05:12:55 UTC
Raw Date: Tue, 13 Dec 94 21:12:55 PST

Raw message

From: Adam Shostack <adam@bwh.harvard.edu>
Date: Tue, 13 Dec 94 21:12:55 PST
To: loki@nately.UCSD.EDU (Lance Cottrell)
Subject: Re: Emergency! Need single use passwords!
In-Reply-To: <9412140329.AA27612@nately.UCSD.EDU>
Message-ID: <199412140410.XAA16407@bwh.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain



| Hi all. We discovered that someone has been
| running a packet sniffer on our subnet of several
| dozen computers. He has all the passwords.
| This is my chance to try to get single use password
| login programs installed here. Please give me recomendations
| and ftp locations.

	S/Key is a very nice software only solution (no smart cards).
It has clients for Mac, PC, Unix, and supports paper lists as well.
Can be configured to only be invoked if the connection is from outside
your net.  ftp.win.tue.nl:/pub/security/logdaemon.tar.Z

	In quick reply to Derek's suggestion of Kerberos, I will point
out that Kerberos does not deal well with remote users. As far as I
know, you need a special connection mechanisim or your password will
travel in the clear to the boundary of your keberized network.  (There
is Kerberos support for S/key, there may be telnet programs.  There is
no paper list or palmtop support.)

Adam

	If you're interested, I can mail you the intro to S/Key sent
to our user community.  It covers S/key and PGP, since we have users
all over the globe.

-- 
"It is seldom that liberty of any kind is lost all at once."
						       -Hume





Thread