Re: It's not possible to allow non-OPIE logins only from trusted networks




Sáb, 2011-03-12 às 12:12 +0000, Lionel Flandrin escreveu:
(...)
Even with SSH/HTTPS you're at risk if someone hijacks your session not
by man-in-the-middle'ing your network connection but by using a
keylogger directly on your guest OS or even on your USB port.
(...)
By the way, I'm working on a dirty hack right now that would in effect
give me that: I plan to modify the OTP calculator I use so that it
would save only a portion of the passphrase, and I would have to enter
the last few characters (say, a 4 digit PIN-like code) by hand each
time. This way I can have a complex non-bruteforceable passphrase that
I can store on my trusted cellphone plus something that protects me
for a while if my cellphone gets stolen. It's still a dirty hack tho.

The math of that sounds a bit hard...
You're talking about OTPW, not OPIE, is it?

(...)
Again, encryption will not stop a keylogger on an untrusted
computer. Everything is still clear text until it's written into the
SSL/SSH socket. And it's not exactly difficult or super expensive to
install: http://www.amazon.com/dp/B004IA69YE

Well a device like that would catch me any time (hackers, welcome!),
even when I use OPIE (because I don't use a separate device, a cell
phone).
Somewhere we have to draw a line, and my line is there. But when I look
around me, to my physical/social environment, I feel pretty confident. I
guess the most real risk I face is someone pointing a knife at me...


My problem with passwords, even passwords generated by dd if=/dev/random
bs=6 count=1 | base64, is seeing dozens, sometimes hundreds of login
attempts per day at any SSH server I open. Even though they're stupid
attempts, which don't even guess a valid username (which is pretty easy,
let me tell you), they make me feel that an 8 random character password
can be guessed by accident.
In my physical environment, I don't see the slightest threat (at least
not one which does not involve knives).


--
Miguel Ramos <mbox@xxxxxxxxxxxxxxxxx>
PGP A006A14C
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"