Your best friend for file transfer.

Fetch application logoFetch

Login denied (OTP problem) (11 posts)

This is an archived topic. The information in it is likely to be out-of-date and no longer applicable to current versions of Fetch.
  • Started 13 years ago by CaptainBitmappy
  • Latest reply 12 years ago from jfw
  • CaptainBitmappy Member

    Well, I've got a doozie.

    It affects logins to my server which runs ftpd from FreeBSD-current (5.0). It has problems sending the password. For some reason it always fails.

    It works fine to the same server in anonymous mode, but when I try to log in, it just doesn't jive. I think it must have something to do with how One-time passwords are generated and sent to the server.

    Other clients work fine, including IE, iFTP and ftp on the command line. Ideas?

    Thanks,
    Here's a transcript of the session:

    Connecting to caulfield.bitmap.net port 21 (13/8/01 4:28:13 PM)
    220 caulfield.bitmap.net FTP server (Version 6.00LS) ready.
    ADAT
    500 'ADAT Hi there, do you support security?': command not understood.
    USER graham
    331 [ otp-md5 17 ca5921 ext ] Password required for graham.
    Generated OTP Response: 211046A5C9EC246A
    PASS
    530 Login incorrect.

    Posted 13 years ago #

  • Jim Matthews Administrator

    Are you using Fetch 3.0.3 or 4.0?

    Jim Matthews
    Fetch Softworks

    Posted 13 years ago #

  • CaptainBitmappy Member

    Fetch 4.0
    (with that darn cute 3d pooch!)

    Posted 13 years ago #

  • Jim Matthews Administrator

    It looks like the server is asking for a One Time Password, but not accepting one. Could you ask the system administrator whether OTP passwords are supposed to be supported?

    Another thing to try is generating the correct OTP password for the challenges in the transcript using MacOPIE (available at http://macinsearch.com/infomac2/communication/inet/mac-opie-100.html . Then you can check whether that matches what Fetch is sending.

    Thanks,

    Jim Matthews
    Fetch Softworks

    Posted 13 years ago #

  • CaptainBitmappy Member

    Hi again,

    Yes, One-time passwords are supposed to be supported. I downloaded MacOPIE and compared the output of that to what is produced on the server by the key(1) program, which handles the s/key requests for the ftp daemon. They agreed with each other.

    How do I determine what Fetch is sending back as the answer to the challenge? The results I am getting back are in the form of six words (english) four letters or less. How does this relate to the long number that Fetch sends back (211046A5C9EC246A, in above post)?

    [This message has been edited by CaptainBitmappy (edited 08-21-2001).]

    [This message has been edited by CaptainBitmappy (edited 08-21-2001).]

    Posted 13 years ago #

  • Jim Matthews Administrator

    The OTP standard lets you encode the response in that code of four letter words, or in hexadecimal (which is what Fetch does). Does the key program let you choose the hexadecimal output format?

    Jim Matthews
    Fetch Softworks

    Posted 13 years ago #

  • jfw Member

    I'm having this same problem.

    A transcript:

    Connecting to funhouse.com port 21 (12/4/01 10:21:54 PM)
    220-
    220 funhouse.com FTP server (NetBSD-ftpd 20010627) ready.
    USER jfw
    331 Password [otp-md4 98 jfwh42459] required for jfw.
    Generated OTP Response: 6762085CACD4FEA5
    PASS
    530 Login incorrect.

    The correct OTP response (for the 'secret' password "testingit_") should have been 7ff9 ecfb e69a 9147. Apparently it's just screwing up the OTP calculation.

    A minor irritating user-interface glitch: an s/key FTP server will also accept a user's plaintext password; it would be handy to be able to tell Fetch that the typed password should be sent as-is even if the server prompts with an s/key challenge.

    Posted 12 years ago #

  • Jim Matthews Administrator

    What calculator are you using to calculate the OTP response? I'd like to check my code against it.

    If you want to send your cleartext password one (clumsy) workaround is to enter the password "***CHALLENGE***". I believe that will bypass the OTP calculation, and prompt you for the actual password to send to the server (that feature is there to allow use of other challenge-response systems).

    Jim Matthews
    Fetch Softworks

    Posted 12 years ago #

  • jfw Member

    I am using PalmKey, an s/key implementation for Palm OS, as well as the BSD skey program. RFC2289 contains a handful of test examples, also.

    If it would be handy for testing, I can set up an account for you on my server.

    Posted 12 years ago #

  • Jim Matthews Administrator

    Apparently the problem is that Fetch expects the challenge to be:

    otp-md4 98 jfwh42459

    rather than:

    Password [otp-md4 98 jfwh42459] required for jfw.

    The challenge being sent by this server does not follow RFC 1938, which states:

    The challenge MUST be in a standard
    syntax so that automated generators can recognize the challenge in
    context and extract these parameters. The syntax of the challenge
    is:

    otp-<algorithm identifier> <sequence integer> <seed>

    The three tokens MUST be separated by a white space (defined as
    any number of spaces and/or tabs) and the entire challenge string
    MUST be terminated with either a space or a new line.

    I will fix a future release of Fetch to be more tolerant of servers that don't follow the RFC.

    Jim Matthews
    Fetch Softworks

    Posted 12 years ago #

  • jfw Member

    Aha! I'll file a problem report with the NetBSD folks as well. Thanks for identifying the problem!

    Fixing the prompt to ...[ otp-md4 99 jfwh9999 ] makes it work.

    Posted 12 years ago #

Topic closed

This topic has been closed.