Your best friend for file transfer.
Fetch
Login denied (OTP problem) (11 posts)
- Started 22 years ago by CaptainBitmappy
- Latest reply 21 years ago from jfw
-
CaptainBitmappy Member
-
Jim Matthews Administrator
Are you using Fetch 3.0.3 or 4.0?
Jim Matthews
Fetch Softworks -
CaptainBitmappy Member
Fetch 4.0
(with that darn cute 3d pooch!) -
Jim Matthews Administrator
It looks like the server is asking for a One Time Password, but not accepting one. Could you ask the system administrator whether OTP passwords are supposed to be supported?
Another thing to try is generating the correct OTP password for the challenges in the transcript using MacOPIE (available at http://macinsearch.com/infomac2/communication/inet/mac-opie-100.html . Then you can check whether that matches what Fetch is sending.
Thanks,
Jim Matthews
Fetch Softworks -
CaptainBitmappy Member
Hi again,
Yes, One-time passwords are supposed to be supported. I downloaded MacOPIE and compared the output of that to what is produced on the server by the key(1) program, which handles the s/key requests for the ftp daemon. They agreed with each other.
How do I determine what Fetch is sending back as the answer to the challenge? The results I am getting back are in the form of six words (english) four letters or less. How does this relate to the long number that Fetch sends back (211046A5C9EC246A, in above post)?
[This message has been edited by CaptainBitmappy (edited 08-21-2001).]
[This message has been edited by CaptainBitmappy (edited 08-21-2001).]
-
Jim Matthews Administrator
The OTP standard lets you encode the response in that code of four letter words, or in hexadecimal (which is what Fetch does). Does the key program let you choose the hexadecimal output format?
Jim Matthews
Fetch Softworks -
jfw Member
I'm having this same problem.
A transcript:
Connecting to funhouse.com port 21 (12/4/01 10:21:54 PM)
220-
220 funhouse.com FTP server (NetBSD-ftpd 20010627) ready.
USER jfw
331 Password [otp-md4 98 jfwh42459] required for jfw.
Generated OTP Response: 6762085CACD4FEA5
PASS
530 Login incorrect.The correct OTP response (for the 'secret' password "testingit_") should have been 7ff9 ecfb e69a 9147. Apparently it's just screwing up the OTP calculation.
A minor irritating user-interface glitch: an s/key FTP server will also accept a user's plaintext password; it would be handy to be able to tell Fetch that the typed password should be sent as-is even if the server prompts with an s/key challenge.
-
Jim Matthews Administrator
What calculator are you using to calculate the OTP response? I'd like to check my code against it.
If you want to send your cleartext password one (clumsy) workaround is to enter the password "***CHALLENGE***". I believe that will bypass the OTP calculation, and prompt you for the actual password to send to the server (that feature is there to allow use of other challenge-response systems).
Jim Matthews
Fetch Softworks -
jfw Member
I am using PalmKey, an s/key implementation for Palm OS, as well as the BSD skey program. RFC2289 contains a handful of test examples, also.
If it would be handy for testing, I can set up an account for you on my server.
-
Jim Matthews Administrator
Apparently the problem is that Fetch expects the challenge to be:
otp-md4 98 jfwh42459
rather than:
Password [otp-md4 98 jfwh42459] required for jfw.
The challenge being sent by this server does not follow RFC 1938, which states:
The challenge MUST be in a standard
syntax so that automated generators can recognize the challenge in
context and extract these parameters. The syntax of the challenge
is:otp-<algorithm identifier> <sequence integer> <seed>
The three tokens MUST be separated by a white space (defined as
any number of spaces and/or tabs) and the entire challenge string
MUST be terminated with either a space or a new line.I will fix a future release of Fetch to be more tolerant of servers that don't follow the RFC.
Jim Matthews
Fetch Softworks -
jfw Member
Aha! I'll file a problem report with the NetBSD folks as well. Thanks for identifying the problem!
Fixing the prompt to ...[ otp-md4 99 jfwh9999 ] makes it work.
- Page 1
Topic closed
This topic has been closed.
Well, I've got a doozie.
It affects logins to my server which runs ftpd from FreeBSD-current (5.0). It has problems sending the password. For some reason it always fails.
It works fine to the same server in anonymous mode, but when I try to log in, it just doesn't jive. I think it must have something to do with how One-time passwords are generated and sent to the server.
Other clients work fine, including IE, iFTP and ftp on the command line. Ideas?
Thanks,
Here's a transcript of the session:
Connecting to caulfield.bitmap.net port 21 (13/8/01 4:28:13 PM)
220 caulfield.bitmap.net FTP server (Version 6.00LS) ready.
ADAT
500 'ADAT Hi there, do you support security?': command not understood.
USER graham
331 [ otp-md5 17 ca5921 ext ] Password required for graham.
Generated OTP Response: 211046A5C9EC246A
PASS
530 Login incorrect.
Posted 22 years ago #