PHK's MD5 might not be slow enough anymore
Dag-Erling Smørgrav
des at des.no
Wed Feb 3 22:27:58 UTC 2010
Matthew Dillon <dillon at apollo.backplane.com> writes:
> The vast majority of BSD users don't need PAMs capabilities when it
> comes to ssh.
You clearly don't understand what PAM does.
> And if you are really going to insist on changing the option around
> the least you could have done was uncomment the related options and
> set them to a definitive 'no' value (that would be ChallengeResponse
> at the very least) when you made the other changes.
You clearly don't understand what the ChallengeResponse option does.
> In anycase, I think Mr Barton's posting was excellent. We already
> ship with PasswordAuthentication set to 'no' and, of course, PAM is
> disabled by default, but I am going to make further adjustments to
> our sshd_config based on Doug's suggestions plus I will also
> uncomment ChallengeResponseAuthentication and set that to 'no' too
> as a further safety measure.
...leaving your users with no other option than keys. No OPIE, no
Radius, no nothing - just keys. You do realize that users have the
option to store their keys unencrypted, and there is nothing you can do
on the server side do to prevent them? That's even *less* secure than
passwords.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list