Re: Putting OPIE to rest

From: grarpamp <grarpamp_at_gmail.com>
Date: Thu, 15 Sep 2022 23:00:32 UTC
On 9/15/22, Dag-Erling Smørgrav <des@des.no> wrote:
> I will be removing OPIE from the main branch within the next few days.
> It has long outlived its usefulness.  Anyone still using it should look
> into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator).
> https://reviews.freebsd.org/D36592

At least so long as PAM remains available, OPIE should be
maintained as a PAM option, and be updated.

OPIE is the only PAM that allows printing out the future
secure tokens. Old school, secure, it just works.

HOTP requires hardware, TOTP requires time,
neither are printable, both of those require some other
[hackable] hw/sw device that costs $$$ money, and
those devices all have different threat/failure/admin models
than simple paper.

If people don't like...
- The hash algo, a volunteer committer can update it to sha256.
- The list of words, a volunteer committer can update it to
read from a list of admin supplied words in:
/etc/opie_words.txt
- The number of words, a volunteer committer can add an
option to the config for that.
- The writeable state breaking in a read-only root, a volunteer
committer can add a config option to point that elsewhere.
- The randomness, a volunteer committer can update it
to modern randomness.

And if people still don't like it, then commit those simple updates,
and push it out to ports, instead of killing users use of it.