On Sunday 13 February 2011 22:32:13 Okan Demirmen wrote: > On Sun 2011.02.13 at 16:25 +0100, Peter J. Philipp wrote: > > > > Architecture: OpenBSD.amd64 > > > > Machine : amd64 > > > > > > > > >Description: > > > > > > > > After about 20 logins or so my SKEY login stopped working. > > > Having > > > > tried multiple dozen times to login it wouldn't work. So I made a > > > > testuser and luckily on the second login it didn't work either but I > > > > see no correllation between the two. A second testuser didn't seem > > > > to have a problem getting through 5 logins or more. > > > > > > Hi, > > > > > > I've been unable to reproduce this behavior. Are you 100% sure the > > > passphrase is being entered correctly? Even if you put in a bogus > > > passphrase, skey will happily provide you with one-time passwords, > > > though they will be invalid. > > > > > > Can you re-validate your findings? > > > > > > Cheers. > > > > I just took the information from the testuser skey that was in the > > original bug report and created this: > > > > # pwd > > /etc/skey > > # ls -ld > > drwx-wx--T 2 root auth 512 Feb 13 16:06 . > > # ls -l > > total 4 > > -rw------- 1 testuser auth 43 Feb 13 16:06 testuser > > > > Then generated the passphrase with password "FOReveryoung1" no quotes and > > the skey phrases generated look the same as I provided in the bug report. > > then I ssh'ed to localhost with ssh testuser:skey@localhost and could not > > log in by copy/pasting the skey phrases into the password. I still could > > not log in even though the system has changed from 4.7 to 4.9-beta as > > of a week ago or so. > > > > OpenBSD 4.9-beta (GENERIC) #439: Thu Jan 20 17:15:16 MST 2011 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > > > Now back to you. Are you actually saying that you took my testuser data > > and installed a testuser generated my passphrases and were able to log in > > successfully? Are you using amd64 as well? > > i386/amd64/sparc64 - all worked as expected. I created my own testuser, > then just duplicated yours... > > Now what I did just notice in the original bug report was that the last > character of the password was missing (the "T" from LOFT). Maybe that's > a cut/paste thing? > > > I really do think I did everything right with no mistakes and I was > > locked out of my box from remote as well before which caused me to create > > this testuser in the first place. > > > > I don't have perfect hindsight so there is a chance I did something wrong > > but it would really suck if this happened to someone with a critical > > system and they could not get in. For me my systems aren't so critical > > comparatively. > > > > -peter
That "LOFT" argument caught my attention. When was the original list generated, with what version of OpenBSD? A bug in skey.c v1.25 chopped last char from some of the longer phrases. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/skey/skey.c.diff?r1=1.25;r2=1.26 -- Antti Harri
