Re: It's not possible to allow non-OPIE logins only from trusted networks




Sáb, 2011-03-12 às 12:12 +0000, Lionel Flandrin escreveu:
(...)
Even with SSH/HTTPS you're at risk if someone hijacks your session not
by man-in-the-middle'ing your network connection but by using a
keylogger directly on your guest OS or even on your USB port.
(...)
By the way, I'm working on a dirty hack right now that would in effect
give me that: I plan to modify the OTP calculator I use so that it
would save only a portion of the passphrase, and I would have to enter
the last few characters (say, a 4 digit PIN-like code) by hand each
time. This way I can have a complex non-bruteforceable passphrase that
I can store on my trusted cellphone plus something that protects me
for a while if my cellphone gets stolen. It's still a dirty hack tho.

The math of that sounds a bit hard...
You're talking about OTPW, not OPIE, is it?

(...)
Again, encryption will not stop a keylogger on an untrusted
computer. Everything is still clear text until it's written into the
SSL/SSH socket. And it's not exactly difficult or super expensive to
install: http://www.amazon.com/dp/B004IA69YE

Well a device like that would catch me any time (hackers, welcome!),
even when I use OPIE (because I don't use a separate device, a cell
phone).
Somewhere we have to draw a line, and my line is there. But when I look
around me, to my physical/social environment, I feel pretty confident. I
guess the most real risk I face is someone pointing a knife at me...


My problem with passwords, even passwords generated by dd if=/dev/random
bs=6 count=1 | base64, is seeing dozens, sometimes hundreds of login
attempts per day at any SSH server I open. Even though they're stupid
attempts, which don't even guess a valid username (which is pretty easy,
let me tell you), they make me feel that an 8 random character password
can be guessed by accident.
In my physical environment, I don't see the slightest threat (at least
not one which does not involve knives).


--
Miguel Ramos <mbox@xxxxxxxxxxxxxxxxx>
PGP A006A14C
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: Its not possible to allow non-OPIE logins only from trusted networks
    ... However, OPIE, nobody cares about OPIE? ... As to the possibility of someone hijacking my session and sending \n ... of passwords with you, ... One time passwords made the most sense with insecure connections. ...
    (FreeBSD-Security)
  • Re: Its not possible to allow non-OPIE logins only from trusted networks
    ... However, OPIE, nobody cares about OPIE? ... I do care about OPIE, ... About prefix passwords, I just gave a quick read on that wikipedia ... One time passwords made the most sense with insecure connections. ...
    (FreeBSD-Security)
  • Re: OPIE considered insecure
    ... Enhance OPIE to use larger internal hashes. ... the algorithm won't be brute-forced ... of one time passwords that can be generated is unlimited. ... The one time passwords should definitively be independent from each other; ...
    (FreeBSD-Security)
  • Re: One-Time passwords for regular user accounts?
    ... one-time passwords for logging in to a Linux box. ... Opie is a one time challenge response system. ... It could be susceptible to active attacks, ...
    (comp.os.linux.setup)
  • Re: telnet replacement - not ssh?
    ... Note the cautionary note at the end of the abstract: ... Passwords In Everything) Software Distribution is an enhancement ... OPIE can be an important part of one. ... preserve the confidentiality or integrity of the data in the stream. ...
    (comp.security.unix)