It's not possible to allow non-OPIE logins only from trusted networks

Miguel Lopes Santos Ramos mbox at miguel.ramos.name
Thu Mar 10 23:09:35 UTC 2011 

Qui, 2011-03-10 às 20:26 +0000, Lionel Flandrin escreveu:
> On Thu, Mar 10, 2011 at 07:12:41PM +0000, Miguel Lopes Santos Ramos wrote:
> > 
> > Thanks. I'll probably be looking into that sooner or latter.
> > 
> > However, OPIE, nobody cares about OPIE?
> 
> Hi,
> 
> I do care about OPIE,

Thanks!!

>  but it has many shortcomings arguably more
> critical than the one you're pointing out. What bothers me most is the
> absence of a prefix password and the possibility that someone may
> highjack my session if he's replaying my input and sends the \n before
> I do. See the wikipedia page about OTPW[1] for a more detailed
> explanation about that. OTPW is an alternative to OPIE that aims at
> correcting these issues.

Well, I had never heard of OTPW, thanks for the pointer. But I'm not
concerned about those problems you mentioned:

- As to the possibility of someone hijacking my session and sending \n
before I do, I don't care for that because I only use SSH (the same
comment would apply to your solution with https). That problem would be
valid for cleartext sessions not encrypted with a session key. If
someone can hijack my SSH session... hey, then all is lost in any case,
the least I care about then is my password...

- About prefix passwords, I just gave a quick read on that wikipedia
page, but that seems to me important for the case where you take a list
of passwords with you, and I wouldn't do that. And because OTPW is to be
used like that, I don't think I would use it. I use OPIE when I have no
other solution, I didn't take anything with me. At any moment, I
download an OTP calculator and log in. If I'm supposed to carry
anything, I'll prefer to carry an SSH key, a lot safer.

- The objection on S/KEY on that wiki page, that it's possible to
compute all previous passwords, is a bit odd, since past passwords won't
be used anymore.

- That S/KEY uses small english words actually helps a lot.


> I'd try to install and configure OTPW on my server to replace OPIE,
> but it's not in the ports and I don't know PAM well enough to try and
> mess with it, I would probably end up opening more security holes than
> I'm fixing.
> 
> Since these days many of us use cell phones where it's easy to write
> and distribute challenge/response generators I don't understand why
> there seems to be so little interest in developing and improving one
> time passwords solutions (including for websites, I wonder how many
> facebook/twitter/whatever accounts I could steal by putting keyloggers
> in an internet cafe).

One time passwords made the most sense with insecure connections. Over a
secure session, such as ssh or https, in principle, a strong password is
just as strong. One time passwords add no security if in the end all
amounts to a brute force attack.

However, to me, in practice, they do add security, because:
- One time passwords lead to a larger search space, unless when compared
to random passwords. Random passwords however end up having to be
written in something that must be carried.
- Obviously, it's an additional layer of security that the attacker
would have to be aware of (even though this counts as zero).
- One time passwords don't get compromised as easily, because you would
have to be really foolish to use your passphrase anywhere else or write
it down.


So, it really is questionable if they are any better in the world of
encrypted connections.


> I would gladly look into it myself but the subject is so security
> critical that I'm a little put off. If one of you knows of a project
> working on improving or replacing OPIE, I would gladly look into it
> and try to contribute if I can. Maybe this project _is_ OTPW? Why
> isn't it in the ports yet when the Wikipedia article claims it
> supports FreeBSD? Has anyone here tried it?
> 
> As for OpenVPN, it is a really good piece of software and you should
> have a look at it, but I can imagine scenarios where a one time
> password would be better suited than a complete VPN setup (For
> instance I use OPIE and shellinabox[2] over HTTPS to connect to my
> server from anywhere I can find a web browser, no need to install any
> additional software).
> 
> [1] https://secure.wikimedia.org/wikipedia/en/wiki/OTPW
> [2] https://code.google.com/p/shellinabox/
> 
> Cheers,


Thanks for the pointers. That shellinabox is really cool.
However, to me it's a lot easier to setup OpenSSH than it is to setup an
https web server. I don't mind having to install PuTTY or FileZilla once
a week, I already can navigate Simon Tatham's home page blindfolded.

Regards,

-- 
Miguel Ramos <mbox at miguel.ramos.name>
PGP A006A14C

More information about the freebsd-security mailing list