s/key authentication for Apache on FreeBSD?

[Brett Glass]

An excellent reason to use SSL together with S/key.

--Brett

At 06:02 PM 12/10/2003, Michael Sierchio wrote:

>The problem with S/key or OPIE authentication is that it
>is sadly subject to a MITM attack, and relies on
>blind trust in the server.
>
>The challenge is not a random challenge, it is unfortunately
>a sequence number and salt -- if I trick you into typing in
>the one-time password with a lower sequence number than the
>current one you are proper fucked.  I can then generate all of
>the subsequent "one-time" passwords.
>
>If you have a half-authenticated SSL connection, and are
>conducting the exchange over it, then it should be fine.