From nobody Thu Sep 15 23:00:32 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MTCNP1Y1Dz4ccTf; Thu, 15 Sep 2022 23:00:37 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MTCNN3ZZTz3xhp; Thu, 15 Sep 2022 23:00:36 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-pl1-x62c.google.com with SMTP id l10so19750158plb.10; Thu, 15 Sep 2022 16:00:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:from:to:cc:subject:date; bh=gLruk2nidha8R62TkgaOHg0e26WXRaBz3m5BXBrVhoo=; b=G+LD/RKdVCweubJZ8OqPVD+lS6expHB+ecnO/BJYeuw1CGsYfypoUTSLCu5p0UGdSj /8Zh9YitukTG5y8qeXte+gQbtQ4UlRkpToPMyWpwQoXZnQ2QHJNb0/+CnqAy88p1R8OW ntzh64FVYfb96OBZ8qmjBesnMJoaRHVZ3bikZfPXd1h5dIl4iGdgYfnpTV3mYA6+Fuad mcuTbnwslkmD1otpOYjEztQzxCADTQ2eb60tVMEFFL/MeZ5RqVVnE9t+Ms5WfuBgYixB jve7uxIeAmz8qXhtzdUfzdyaFgA/DNWcCi0gs9GgBw5FHIeu607FGewANv9TQ2IlCkN2 V/kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=gLruk2nidha8R62TkgaOHg0e26WXRaBz3m5BXBrVhoo=; b=FkXk7AVzIla3AqmrszoSxQZX/Zt5cNq0wL/bxeaWnhULmT6LbNi2hSTQpV0zfnBXRW v4xFfaIl1kkEmD/ae6rmRHPpiqkUyZrmb0VbdSWyjZQHUYGeR8ZEHCnOdJRf+cfwQy28 RGi8+oT0PLShmfSsNur5Fq+PD4jDZAtbKTHEmRgIWGeoWkemsh7I1i3xeE7hc/DD4T8I O+XDSJN92FYP+eVTtbsyRxRq5CWoQBkvveIdOkLIqjpiTKZXZU5ORQeitVMb7r8sqKmT MH2ljlbsPtX3lneLNKSfHl2DxYyot8GuHMOvvBMBnYHomrBvwb5s7x9l/wAqgLB/3W2N Tetw== X-Gm-Message-State: ACrzQf1FTWdJLyyvk3VB5Ohxd5hYSn6W4YJEHUaOXIzsE8Lz6XQbWFcc I1vxD5CQbcOP5FbMtzRZMCJKXlbgKOM6psDdjcunVmcT/Zen1c3Sj38= X-Google-Smtp-Source: AMsMyM4N7Vm064HzmmxQ4iU4V/a5hF2nVDIZRdQ0fmLAB/FPeclm+1E6rswlQ0njFisCA9FdkU2OVv/sDs4XODDRYPE= X-Received: by 2002:a17:902:f682:b0:178:3ede:a12f with SMTP id l2-20020a170902f68200b001783edea12fmr1857064plg.26.1663282833258; Thu, 15 Sep 2022 16:00:33 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a17:902:ccc9:b0:175:41cd:2693 with HTTP; Thu, 15 Sep 2022 16:00:32 -0700 (PDT) In-Reply-To: <86h718sqdx.fsf@ltc.des.no> References: <86h718sqdx.fsf@ltc.des.no> From: grarpamp Date: Thu, 15 Sep 2022 19:00:32 -0400 Message-ID: Subject: Re: Putting OPIE to rest To: freebsd-security@freebsd.org Cc: freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, des@des.no Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4MTCNN3ZZTz3xhp X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b="G+LD/RKd"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::62c as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-2.53 / 15.00]; NEURAL_HAM_MEDIUM(-0.86)[-0.857]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_LONG(-0.48)[-0.475]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; NEURAL_HAM_SHORT(-0.20)[-0.199]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org,freebsd-hackers@freebsd.org,freebsd-current@freebsd.org]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::62c:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; FREEMAIL_FROM(0.00)[gmail.com]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N On 9/15/22, Dag-Erling Sm=C3=B8rgrav wrote: > I will be removing OPIE from the main branch within the next few days. > It has long outlived its usefulness. Anyone still using it should look > into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator). > https://reviews.freebsd.org/D36592 At least so long as PAM remains available, OPIE should be maintained as a PAM option, and be updated. OPIE is the only PAM that allows printing out the future secure tokens. Old school, secure, it just works. HOTP requires hardware, TOTP requires time, neither are printable, both of those require some other [hackable] hw/sw device that costs $$$ money, and those devices all have different threat/failure/admin models than simple paper. If people don't like... - The hash algo, a volunteer committer can update it to sha256. - The list of words, a volunteer committer can update it to read from a list of admin supplied words in: /etc/opie_words.txt - The number of words, a volunteer committer can add an option to the config for that. - The writeable state breaking in a read-only root, a volunteer committer can add a config option to point that elsewhere. - The randomness, a volunteer committer can update it to modern randomness. And if people still don't like it, then commit those simple updates, and push it out to ports, instead of killing users use of it.