Re: Putting OPIE to rest
- Reply: Joe Schaefer : "Re: Putting OPIE to rest"
- Reply: Dag-Erling_Smørgrav : "Re: Putting OPIE to rest"
- In reply to: Dag-Erling_Smørgrav : "Putting OPIE to rest"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 15 Sep 2022 23:00:32 UTC
On 9/15/22, Dag-Erling Smørgrav <des@des.no> wrote: > I will be removing OPIE from the main branch within the next few days. > It has long outlived its usefulness. Anyone still using it should look > into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator). > https://reviews.freebsd.org/D36592 At least so long as PAM remains available, OPIE should be maintained as a PAM option, and be updated. OPIE is the only PAM that allows printing out the future secure tokens. Old school, secure, it just works. HOTP requires hardware, TOTP requires time, neither are printable, both of those require some other [hackable] hw/sw device that costs $$$ money, and those devices all have different threat/failure/admin models than simple paper. If people don't like... - The hash algo, a volunteer committer can update it to sha256. - The list of words, a volunteer committer can update it to read from a list of admin supplied words in: /etc/opie_words.txt - The number of words, a volunteer committer can add an option to the config for that. - The writeable state breaking in a read-only root, a volunteer committer can add a config option to point that elsewhere. - The randomness, a volunteer committer can update it to modern randomness. And if people still don't like it, then commit those simple updates, and push it out to ports, instead of killing users use of it.