OPIE considered insecure
Jason Stone
freebsd-security at dfmm.org
Mon Feb 9 14:20:29 PST 2009
>> I also prefer current OPIE to copying SSH private keys to untrusted
>> machines.
> The machine you are logging IN TO does not require your private key,
> just your public key.
Right, but that's not the problem they're trying to solve. They're trying
to solve the problem of logging in _from_ an untrusted machine, to a
trusted machine.
So, an alternative might be to carry around a USB key with a one-time
private key, different from your normal private keys, and have the public
key command-squashed on the server to remove itself from authorized_keys
before running the shell.
You could generate several, each with a different passphrase (assuming
that you could manage to remember that many passphrases and which keys
they go with), and get a similar effect to printing out a card with the
next ten OPIE passwords.
-Jason
More information about the freebsd-security
mailing list