Re: Putting OPIE to rest

google-authenticator-libpam works for sudo controls?

On Thu, Sep 15, 2022 at 7:01 PM grarpamp <grarpamp@gmail.com> wrote:

> On 9/15/22, Dag-Erling Smørgrav <des@des.no> wrote:
> > I will be removing OPIE from the main branch within the next few days.
> > It has long outlived its usefulness.  Anyone still using it should look
> > into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator).
> > https://reviews.freebsd.org/D36592
>
> At least so long as PAM remains available, OPIE should be
> maintained as a PAM option, and be updated.
>
> OPIE is the only PAM that allows printing out the future
> secure tokens. Old school, secure, it just works.
>
> HOTP requires hardware, TOTP requires time,
> neither are printable, both of those require some other
> [hackable] hw/sw device that costs $$$ money, and
> those devices all have different threat/failure/admin models
> than simple paper.
>
> If people don't like...
> - The hash algo, a volunteer committer can update it to sha256.
> - The list of words, a volunteer committer can update it to
> read from a list of admin supplied words in:
> /etc/opie_words.txt
> - The number of words, a volunteer committer can add an
> option to the config for that.
> - The writeable state breaking in a read-only root, a volunteer
> committer can add a config option to point that elsewhere.
> - The randomness, a volunteer committer can update it
> to modern randomness.
>
> And if people still don't like it, then commit those simple updates,
> and push it out to ports, instead of killing users use of it.
>
>