Re: OPIE considered insecure

On Mon, Mar 02, 2009 at 01:19:32PM -0800, Chris Palmer wrote:
Benjamin Lutz writes:

Because the inconvience of not using whatever service or data the server is
providing is considered greater than the security risk.

But isn't regular password authentication the most convenient of all?

Not in my experience, no.

I configure ~/.xsession to run "eval `ssh-agent`" and "ssh-add" very
early, so all processes run under that environment get the benefit of
the cached authentication credentials I thus set up. Then I can login
to most machines I care about directly, without requiring additional

To me, that's far more convenient than ensuring that I'm around & paying
attention whenever some random process (e.g., a CVS update) wants a

And I strongly suspect that it's better security than a password.

For my externally-visible sshd, there's no way I'd use a reusable
password for authentication. As things presently stand, I only permit
SSH public key authentication for that use.


David H. Wolfskill david@xxxxxxxxxxxxxx
Depriving a girl or boy of an opportunity for education is evil.

See for my public key.

Attachment: pgpnVB4IE3W0P.pgp
Description: PGP signature

Relevant Pages

  • RE: Domain Controller Best Practice - Thanks!
    ... > security risk by allowing your DC to also function as a file server". ... All user authentication is occurring on this system. ... But you wouldn't be sharing the "SAM file" now, ...
  • Re: store password using reversible encryption
    ... enabled for any accounts that would authenticate via chap or digest ... authentication which is a big security risk. ... anyone needing to use those two methods of authentication. ...
  • Re: OWA Login Box
    ... Leif ... Isn't this a security risk? ... it is not an authentication method - basic ... a RSA server before they are authenticated by the AD. (the way I normally do ...
  • [Full-disclosure] [GOATSE SECURITY] Clench: Goatses way to say "screw you" to certificate author
    ... Application layer authentication-inherent validation of public key ... Goatse Security’s new simple password-based authentication mechanism ... getting hundreds of thousands or millions of users to install a client ... client hashes locally and then sends the hash to the server. ...
  • Re: IPSEC with non-domain Server
    ... with kerberos performing digital signature validation using the on-file ... public keys for "something you have" authentication. ... there is a business process defined called public key ... ... the total stranger has gone to a certification ...