Re: OPIE considered insecure



On Mon, Mar 02, 2009 at 01:19:32PM -0800, Chris Palmer wrote:
...
Benjamin Lutz writes:

Because the inconvience of not using whatever service or data the server is
providing is considered greater than the security risk.

But isn't regular password authentication the most convenient of all?

Not in my experience, no.

I configure ~/.xsession to run "eval `ssh-agent`" and "ssh-add" very
early, so all processes run under that environment get the benefit of
the cached authentication credentials I thus set up. Then I can login
to most machines I care about directly, without requiring additional
authentication.

To me, that's far more convenient than ensuring that I'm around & paying
attention whenever some random process (e.g., a CVS update) wants a
password.

And I strongly suspect that it's better security than a password.

For my externally-visible sshd, there's no way I'd use a reusable
password for authentication. As things presently stand, I only permit
SSH public key authentication for that use.

...

Peace,
david
--
David H. Wolfskill david@xxxxxxxxxxxxxx
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

Attachment: pgpnVB4IE3W0P.pgp
Description: PGP signature