Re: OPIE considered insecure

Jason Stone <freebsd-security@xxxxxxxx> writes:
Right, but that's not the problem they're trying to solve. They're
trying to solve the problem of logging in _from_ an untrusted machine,
to a trusted machine.

If the machine you're logging in *from* is untrusted, you're SOL. Even
with OPIE or similar mechanisms, somebody might piggyback on your SSH
connection. The best you can do is boot from a CD or USB fob you
prepared yourself, and even then, there might be a hardware key logger
installed on the computer.

DES
--
Dag-Erling Smørgrav - des@xxxxxx
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: OPIE considered insecure
    ... solve the problem of logging in _from_ an untrusted machine, ... key, different from your normal private keys, and have the public key command-squashed on the server to remove itself from authorized_keys before running the shell. ... Happiness is a good martini, a good meal, a good cigar, and a good woman ... ...
    (FreeBSD-Security)
  • Re: OPIE considered insecure
    ... untrusted machine, to a trusted machine. ... If the machine you're logging in *from* is untrusted, ... Even with OPIE or similar mechanisms, ... attack versus passive keylogging / data dumping). ...
    (FreeBSD-Security)