OPIE considered insecure
David Wolfskill
david at catwhisker.org
Mon Mar 2 13:49:49 PST 2009
On Mon, Mar 02, 2009 at 01:19:32PM -0800, Chris Palmer wrote:
> ...
> Benjamin Lutz writes:
>
> > Because the inconvience of not using whatever service or data the server is
> > providing is considered greater than the security risk.
>
> But isn't regular password authentication the most convenient of all?
Not in my experience, no.
I configure ~/.xsession to run "eval `ssh-agent`" and "ssh-add" very
early, so all processes run under that environment get the benefit of
the cached authentication credentials I thus set up. Then I can login
to most machines I care about directly, without requiring additional
authentication.
To me, that's far more convenient than ensuring that I'm around & paying
attention whenever some random process (e.g., a CVS update) wants a
password.
And I strongly suspect that it's better security than a password.
For my externally-visible sshd, there's no way I'd use a reusable
password for authentication. As things presently stand, I only permit
SSH public key authentication for that use.
> ...
Peace,
david
--
David H. Wolfskill david at catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20090302/1432ca0b/attachment.pgp
More information about the freebsd-security
mailing list