From owner-ssh@clinet.fi  Tue Jun 23 18:51:03 1998
Received: from lohi.clinet.fi (majordom@lohi.clinet.fi [194.100.0.7]) by hutcs.cs.hut.fi (8.8.8/8.8.8) with ESMTP id SAA00415; Tue, 23 Jun 1998 18:51:02 +0300 (EET DST)
Received: (from majordom@localhost)
	by lohi.clinet.fi (8.9.0/8.9.0) id SAA21788
	for ssh-outgoing; Tue, 23 Jun 1998 18:50:31 +0300 (EEST)
X-Authentication-Warning: lohi.clinet.fi: majordom set sender to owner-ssh@clinet.fi using -f
Received: from homeport.org (lighthouse.homeport.org [205.136.65.198])
	by lohi.clinet.fi (8.9.0/8.9.0) with ESMTP id SAA21778
	for <ssh@clinet.fi>; Tue, 23 Jun 1998 18:50:23 +0300 (EEST)
Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id LAA05627; Tue, 23 Jun 1998 11:48:07 -0400 (EDT)
From: Adam Shostack <adam@homeport.org>
Message-Id: <199806231548.LAA05627@homeport.org>
Subject: Re: WARNING: SSH + TIS fwtk authsrv is vulnerable to attack
In-Reply-To: <9806230957.ZM2583@ihgp1.ih.lucent.com> from Dave Dykstra at "Jun 23, 98 09:57:43 am"
To: dwd@lucent.com (Dave Dykstra)
Date: Tue, 23 Jun 1998 11:48:07 -0400 (EDT)
Cc: ssh@clinet.fi
X-Mailer: ELM [version 2.4ME+ PL27 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-ssh@clinet.fi
Precedence: bulk

I'll add that this is the case even when you use the encryption
software for authserv (the servio.c and clio.c that are export
controlled.)  The software uses a set key with no cookie, nonce, or
other variance to tie one message to the next, and a replay attack is
trivial.

Adam

Dave Dykstra wrote:
| The TIS firewall toolkit (http://www.tis.com) includes an authentication
| server than supports many kinds of high-security authentication methods,
| such as BellCore's S/KEY, Digital Pathways SecurNet Key SNK004, and
| VASCO's Digipass (http://www.vasco.com).  The authentication server
| provides a service and a protocol for applications to use to authenticate
| users.  This has been integrated into SSH with the "--with-tis" configure
| option.
| 
| WARNING: the protocol between sshd and the TIS fwtk authentication server 
| "authsrv" is wide open ordinary TCP and is vulnerable to attack unless the
| network between authsrv and sshd is private.

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume