From nobody Fri Sep 16 17:46:25 2022
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MThMc3CYWz4cgsg;
	Fri, 16 Sep 2022 17:46:36 +0000 (UTC)
	(envelope-from joesuf4@gmail.com)
Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com [IPv6:2607:f8b0:4864:20::1133])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MThMb5lqwz42qc;
	Fri, 16 Sep 2022 17:46:35 +0000 (UTC)
	(envelope-from joesuf4@gmail.com)
Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-3321c2a8d4cso268566537b3.5;
        Fri, 16 Sep 2022 10:46:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date;
        bh=zwtq5yeA+nU4ulxspYZSesH3qS3nTTO92BYtD/QCM/g=;
        b=NgSMybG3fQRBFqtlvDgImHITueYcKbLqXdi9g82NhSY6GsbLVvPCSitaKLoHanh40l
         46znCljEhVDNo3ISosw1S3CwncqF5T5URgIKhBdke/LoeswQ5lwXCh1lbfM7LkiM6ylL
         CiGazY4V8AVCdxIzHrJF5D0xeAfk5/q37/os02ryhXqEIVlQEZaxKVZrHiy00lRtQiww
         tLbSeG/x9YCEe0Pz1SbnGZqYgwV3Q3N0coqKUO0FB/NFyOiMAstI77TEutTVUwmtMGFk
         wyNBVwZJg0abF63/oGl03hNft9BnHxGJ9+B+X7IEJRn7dciZGaQnIxuXOi6JxkV1VmKf
         dR0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date;
        bh=zwtq5yeA+nU4ulxspYZSesH3qS3nTTO92BYtD/QCM/g=;
        b=dpI5sz7+jNIDyVss2sR3QvorwnT+qn9R4aUx1MTHobDnGCGhrnaMNwTWnmk8Hr4H8D
         4115HAK9vSC5gNh735rbOYTbWWXTpL1a6ubcGJ88oi+LKOHUnU+yURIXgvg69uaRWZ1M
         uHT2W4qVuqfgEyc3V3uxJI6+gv1NcrH829Bf9Qd0MEocvkjL8bger9vqGvr5xJPcORqM
         bHlL/Ln9QSS/z9sbWAf/2c7+/QohKz0CN/r4KlGPkoWZd0/UDvPfCLg/nLUpfngF6Mio
         LYRNoIcsEBbcoODQJubuuTWOGF7qGCWdlUz63lI6eAdWv0STA/J0tZOFr2uzrkqvUE7T
         0Iuw==
X-Gm-Message-State: ACrzQf3Tw7sjsOmmPv2a4nGdB0MTEN0ogiaajVbDFWVZJZnlWT21hh7Q
	DB2/DskHmSDK4EVxpjeLhq6twug76Tem+cM3kbSMsGUW
X-Google-Smtp-Source: AMsMyM6CV985tnpYbYmeJratGe8px1tpb5is3vN2AOJe1oJAclas8sAmNq3noKs7Z5MLDzPalrj0nKCkHc/OOtGa86c=
X-Received: by 2002:a0d:cf83:0:b0:349:8534:589c with SMTP id
 r125-20020a0dcf83000000b003498534589cmr5229107ywd.356.1663350394728; Fri, 16
 Sep 2022 10:46:34 -0700 (PDT)
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
References: <86h718sqdx.fsf@ltc.des.no> <CAD2Ti2_AQCFJRWiwErEdn1hY0Qms0=znTx3T_CjDQ4kvoKG2OQ@mail.gmail.com>
 <CAOzHqcJUoGXUzgTzCsAP2U=oy9OvhU-HH-MYLrw1OZpjHj3v5w@mail.gmail.com>
In-Reply-To: <CAOzHqcJUoGXUzgTzCsAP2U=oy9OvhU-HH-MYLrw1OZpjHj3v5w@mail.gmail.com>
From: Joe Schaefer <joesuf4@gmail.com>
Date: Fri, 16 Sep 2022 13:46:25 -0400
Message-ID: <CAOzHqcLvZUqdJGMMPJgUMQpLs12HTL7HL_2nso6xMJthOkFNMw@mail.gmail.com>
Subject: Re: Putting OPIE to rest
To: grarpamp <grarpamp@gmail.com>
Cc: des@des.no, freebsd-current@freebsd.org, 
	freebsd-hackers <freebsd-hackers@freebsd.org>, freebsd-security@freebsd.org
Content-Type: multipart/alternative; boundary="0000000000006a347405e8cef1f6"
X-Rspamd-Queue-Id: 4MThMb5lqwz42qc
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=NgSMybG3;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of joesuf4@gmail.com designates 2607:f8b0:4864:20::1133 as permitted sender) smtp.mailfrom=joesuf4@gmail.com
X-Spamd-Result: default: False [-3.83 / 15.00];
	NEURAL_HAM_SHORT(-0.99)[-0.995];
	NEURAL_HAM_LONG(-0.96)[-0.958];
	NEURAL_HAM_MEDIUM(-0.88)[-0.879];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::1133:from];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-hackers@freebsd.org,freebsd-security@freebsd.org];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	FREEMAIL_TO(0.00)[gmail.com];
	FROM_EQ_ENVFROM(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	ARC_NA(0.00)[];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	TO_DN_SOME(0.00)[];
	FROM_HAS_DN(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	FREEMAIL_FROM(0.00)[gmail.com];
	RCPT_COUNT_FIVE(0.00)[5];
	RCVD_TLS_LAST(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim]
X-ThisMailContainsUnwantedMimeParts: N

--0000000000006a347405e8cef1f6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Answering my own question: yes it can, but there's no "challenge" string
for TOTP nor HOTP.
If you want sha-1 in an "opie" framework, check out
https://github.com/SunStarSys/orthrus


On Thu, Sep 15, 2022 at 7:31 PM Joe Schaefer <joesuf4@gmail.com> wrote:

> google-authenticator-libpam works for sudo controls?
>
> On Thu, Sep 15, 2022 at 7:01 PM grarpamp <grarpamp@gmail.com> wrote:
>
>> On 9/15/22, Dag-Erling Sm=C3=B8rgrav <des@des.no> wrote:
>> > I will be removing OPIE from the main branch within the next few days.
>> > It has long outlived its usefulness.  Anyone still using it should loo=
k
>> > into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator).
>> > https://reviews.freebsd.org/D36592
>>
>> At least so long as PAM remains available, OPIE should be
>> maintained as a PAM option, and be updated.
>>
>> OPIE is the only PAM that allows printing out the future
>> secure tokens. Old school, secure, it just works.
>>
>> HOTP requires hardware, TOTP requires time,
>> neither are printable, both of those require some other
>> [hackable] hw/sw device that costs $$$ money, and
>> those devices all have different threat/failure/admin models
>> than simple paper.
>>
>> If people don't like...
>> - The hash algo, a volunteer committer can update it to sha256.
>> - The list of words, a volunteer committer can update it to
>> read from a list of admin supplied words in:
>> /etc/opie_words.txt
>> - The number of words, a volunteer committer can add an
>> option to the config for that.
>> - The writeable state breaking in a read-only root, a volunteer
>> committer can add a config option to point that elsewhere.
>> - The randomness, a volunteer committer can update it
>> to modern randomness.
>>
>> And if people still don't like it, then commit those simple updates,
>> and push it out to ports, instead of killing users use of it.
>>
>>

--0000000000006a347405e8cef1f6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Answering my own question: yes it can, but there&#39;s no =
&quot;challenge&quot; string for TOTP nor HOTP.<div>If you want sha-1 in an=
 &quot;opie&quot; framework, check out <a href=3D"https://github.com/SunSta=
rSys/orthrus">https://github.com/SunStarSys/orthrus</a></div><div><br></div=
></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr"=
>On Thu, Sep 15, 2022 at 7:31 PM Joe Schaefer &lt;<a href=3D"mailto:joesuf4=
@gmail.com">joesuf4@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex"><div dir=3D"auto">google-authenticator-libpam =
works for sudo controls?</div><div><br><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Thu, Sep 15, 2022 at 7:01 PM grarpamp &lt;=
<a href=3D"mailto:grarpamp@gmail.com" target=3D"_blank">grarpamp@gmail.com<=
/a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">O=
n 9/15/22, Dag-Erling Sm=C3=B8rgrav &lt;<a href=3D"mailto:des@des.no" targe=
t=3D"_blank">des@des.no</a>&gt; wrote:<br>
&gt; I will be removing OPIE from the main branch within the next few days.=
<br>
&gt; It has long outlived its usefulness.=C2=A0 Anyone still using it shoul=
d look<br>
&gt; into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator).=
<br>
&gt; <a href=3D"https://reviews.freebsd.org/D36592" rel=3D"noreferrer" targ=
et=3D"_blank">https://reviews.freebsd.org/D36592</a><br>
<br>
At least so long as PAM remains available, OPIE should be<br>
maintained as a PAM option, and be updated.<br>
<br>
OPIE is the only PAM that allows printing out the future<br>
secure tokens. Old school, secure, it just works.<br>
<br>
HOTP requires hardware, TOTP requires time,<br>
neither are printable, both of those require some other<br>
[hackable] hw/sw device that costs $$$ money, and<br>
those devices all have different threat/failure/admin models<br>
than simple paper.<br>
<br>
If people don&#39;t like...<br>
- The hash algo, a volunteer committer can update it to sha256.<br>
- The list of words, a volunteer committer can update it to<br>
read from a list of admin supplied words in:<br>
/etc/opie_words.txt<br>
- The number of words, a volunteer committer can add an<br>
option to the config for that.<br>
- The writeable state breaking in a read-only root, a volunteer<br>
committer can add a config option to point that elsewhere.<br>
- The randomness, a volunteer committer can update it<br>
to modern randomness.<br>
<br>
And if people still don&#39;t like it, then commit those simple updates,<br=
>
and push it out to ports, instead of killing users use of it.<br>
<br>
</blockquote></div></div>
</blockquote></div>

--0000000000006a347405e8cef1f6--