As many of you are undoubtedly aware, the use of "sniffers" to monitor network traffic and thus steal passwords is a serious problem, and has been so for quite some time. Indeed, last year's break-in here may have been in part due to the use of a sniffer on a site in Colorado. Once he was "in" here, the culprit immediately set up a sniffer here, resulting in the confirmed theft of dozens of passwords, perhaps many more.

To quote from an advisory issued by CERT on the matter:

...CERT has observed a dramatic increase in reports of intruders monitoring network traffic. Systems of some service providers have been compromised, and all systems that offer remote access through rlogin, telnet, and FTP are at risk. Intruders have already captured access information for tens of thousands of systems across the Internet. The current attacks involve a network monitoring tool that uses the promiscuous mode of a specific network interface, /dev/nit, to capture host and user authentication information on all newly opened FTP, telnet, and rlogin sessions.
[...]
The best long-term solution currently available for this attack is to reduce or eliminate the transmission of reusable passwords in clear-text over the network.
[...]
Long-term prevention: CERT recognizes that the only effective long-term solution to prevent these attacks is by not transmitting reusable clear-text passwords on the network.
[...]

ONE-TIME PASSWORDS

Given today's networked environments, CERT recommends that sites concerned about the security and integrity of their systems and networks consider moving away from standard, reusable passwords. CERT has seen many incidents involving Trojan network programs (e.g., telnet and rlogin) and network packet sniffing programs. These programs capture clear-text hostname, account name, password triplets. Intruders can use the captured information for subsequent access to those hosts and accounts. This is possible because 1) the password is used over and over (hence the term "reusable"), and 2) the password passes across the network in clear text.

Several authentication techniques have been developed that address this problem. Among these techniques are challenge-response technologies that provide passwords that are only used once (commonly called one-time passwords).

We propose a phased transition to the use of one-time passwords throughout EECSNet. This proposal recognizes the distinction between common-access CSEL-owned machines such as delta, and faculty or research lab machines, and handles them somewhat differently.

[More information about the specific software being discussed (called S/KEY) is available at the URL http://web.ece.nwu.edu/CSEL/skey.html]

Phase 1: Voluntary use of S/KEY one-time passwords on delta and the Wilkinson machines.

The CSEL staff will install the S/KEY system on these machines, but will still permit re-usable passwords to be used for telnet, rlogin, and ftp connections to these machines from outside EECSNet. Users who wish to secure their access with S/KEY will be provided with the necessary documentation and software. The CSEL staff will develop and deliver tutorial "lectures" to be delivered in the Wilkinson Lab so that interested users can become educated about S/KEY and the threats is negates.

Phase 2: Installation of S/KEY software on faculty or research lab machines on a "by-rquest" basis.

At the request of their "owners", faculty or research lab machines will be outfitted with S/KEY software so that logins to them can be secured on a voluntary basis, just as CSEL-owned machines are in Phase 1.

Phase 3: Mandatory use of S/KEY one-time passwords on delta and the Wilkinson machines.

All telnet, ftp and rlogin activity from outside EECSNet to any CSEL-owned machines will require the use of one-time passwords. Users with .rhosts files will NOT be affected by this (see note below).

Phase 4: Installation of S/KEY software on remaining faculty or research lab machines

Faculty or research lab machines not hit by Phase 2 will be outfitted with S/KEY software so that logins to them can be secured on a voluntary basis.

Phase 5: Mandatory use of S/KEY one-time passwords on all EECSNet machines.

All telnet, ftp and rlogin activity from outside EECSNet to any EECSNET machines will require the use of one-time passwords. Users with .rhosts files will NOT be affected by this (see note below).

The motivation for the phased implementation of S/KEY is that, although the system is simple once one becomes accustomed to it, it has the potential to be confusing. By moving in steps, users can acclimate themselves to the new system gradually. The presumption is that as faculty get used to the software, they will ask that their labs be outfitted with it.

The transition from voluntary to mandatory use exists because there will undoubtedly be some users who either due to ignorance or recalcitrance will not otherwise use S/KEY.

About .rhosts

In general, .rhosts files are a security problem. They basically make EECS as secure as the machines to which trust is extended. Today's alternative, which is requiring standard UNIX passwords even for rlogin is not much better because we should not trust the networks over which the passwords must travel anyway. Once S/KEY is universally required, both of these problems will go away. Users who have a specific need to extend trust to a remote site will be permitted to do so. All others will find their .rhosts files ignored.