OPIE considered insecure
Rich Healey
healey.rich at itreign.com
Sun Mar 1 15:46:45 PST 2009
I've been reading this thread with great interest. At present my primary
server is ssh keys only, which is all well and good, to login I bounce to a
node that allows passwords and then to my server, but this is still not
ideal. It just eliminates a very small attach surface.
I'm thinking about implementing OPIE, but after reading this I'm not so
sure. What's consensus on the best approach to one time logins?
-----Original Message-----
From: owner-freebsd-security at freebsd.org
[mailto:owner-freebsd-security at freebsd.org] On Behalf Of Peter Jeremy
Sent: Thursday, 12 February 2009 5:07 AM
To: Lyndon Nerenberg
Cc: freebsd-security at freebsd.org
Subject: Re: OPIE considered insecure
On 2009-Feb-09 15:30:33 -0800, Lyndon Nerenberg <lyndon at orthanc.ca> wrote:
> From what you're describing, I would be more inclined to carry a
> bootable OS on that USB stick and reboot into that.
Keep in mind that libraries, internet cafes etc aren't going to be keen on
you turning up with some (to them) random USB stick and wanting to reboot
their pride-and-joy off it.
I suspect your choices are to either use OPIE (or some adaption thereof)
with ssh on an untrusted computer and assume that anything you type will be
logged or carry your own trusted computer and use some form of wireless (3G,
NextG etc) to communicate with your systems.
Note that using very large sequence numbers should slow down an attacker
(though only linerarly) since they still need to iterate
MD5 by that many rounds.
--
Peter Jeremy
More information about the freebsd-security
mailing list