It's not possible to allow non-OPIE logins only from trusted networks

Lionel Flandrin simias.n at gmail.com
Thu Mar 10 20:55:57 UTC 2011 

On Thu, Mar 10, 2011 at 07:12:41PM +0000, Miguel Lopes Santos Ramos wrote:
> 
> Qui, 2011-03-10 às 19:20 +0100, Remko Lodder escreveu:
> > > Yes, that's right. That would solve a whole lot of other problems too.
> > > It's true that I'm using SSH in many cases just as an easy to administer
> > > VPN. I've been postponing that for years. But I would need something
> > > that worked with FreeBSD and Gentoo (don't want to learn two tools) and
> > > for any client.
> > 
> > 
> > 
> > so with the pfsense project we have this thing integrated that is called OpenVPN.
> > Hell, I use it between multiple FreeBSD boxes to create a 'secure' (quotes because
> > it's as secure as possible in this world :)) network between them. I pushed it to my
> > parents who are (sigh) using Windows, I use it from my Mac (Viscosity) and hell
> > it even works on Linux/Gentoo..
> > 
> > And it's all.. free :-)
> > 
> > Cheers
> > Remko
> 
> Thanks. I'll probably be looking into that sooner or latter.
> 
> However, OPIE, nobody cares about OPIE?

Hi,

I do care about OPIE, but it has many shortcomings arguably more
critical than the one you're pointing out. What bothers me most is the
absence of a prefix password and the possibility that someone may
highjack my session if he's replaying my input and sends the \n before
I do. See the wikipedia page about OTPW[1] for a more detailed
explanation about that. OTPW is an alternative to OPIE that aims at
correcting these issues.

I'd try to install and configure OTPW on my server to replace OPIE,
but it's not in the ports and I don't know PAM well enough to try and
mess with it, I would probably end up opening more security holes than
I'm fixing.

Since these days many of us use cell phones where it's easy to write
and distribute challenge/response generators I don't understand why
there seems to be so little interest in developing and improving one
time passwords solutions (including for websites, I wonder how many
facebook/twitter/whatever accounts I could steal by putting keyloggers
in an internet cafe).

I would gladly look into it myself but the subject is so security
critical that I'm a little put off. If one of you knows of a project
working on improving or replacing OPIE, I would gladly look into it
and try to contribute if I can. Maybe this project _is_ OTPW? Why
isn't it in the ports yet when the Wikipedia article claims it
supports FreeBSD? Has anyone here tried it?

As for OpenVPN, it is a really good piece of software and you should
have a look at it, but I can imagine scenarios where a one time
password would be better suited than a complete VPN setup (For
instance I use OPIE and shellinabox[2] over HTTPS to connect to my
server from anywhere I can find a web browser, no need to install any
additional software).

[1] https://secure.wikimedia.org/wikipedia/en/wiki/OTPW
[2] https://code.google.com/p/shellinabox/

Cheers,
-- 
Lionel Flandrin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110310/16a6613d/attachment.pgp

More information about the freebsd-security mailing list