s/key authentication for Apache on FreeBSD?
Michael Sierchio
kudzu at tenebras.com
Wed Dec 10 17:02:58 PST 2003
Brett Glass wrote:
> The people in question have Palm Pilots. And, yes, in a pinch
> slips of paper could be generated. The key thing is to be able
> to get in from a public kiosk without the risk of compromised
> passwords.
The problem with S/key or OPIE authentication is that it
is sadly subject to a MITM attack, and relies on
blind trust in the server.
The challenge is not a random challenge, it is unfortunately
a sequence number and salt -- if I trick you into typing in
the one-time password with a lower sequence number than the
current one you are proper fucked. I can then generate all of
the subsequent "one-time" passwords.
If you have a half-authenticated SSL connection, and are
conducting the exchange over it, then it should be fine.
More information about the freebsd-security
mailing list