It's not possible to allow non-OPIE logins only from trusted networks

Miguel Lopes Santos Ramos mbox at miguel.ramos.name
Sat Mar 12 22:15:29 UTC 2011 

Sáb, 2011-03-12 às 12:12 +0000, Lionel Flandrin escreveu:
(...)
> Even with SSH/HTTPS you're at risk if someone hijacks your session not
> by man-in-the-middle'ing your network connection but by using a
> keylogger directly on your guest OS or even on your USB port.
(...)
> By the way, I'm working on a dirty hack right now that would in effect
> give me that: I plan to modify the OTP calculator I use so that it
> would save only a portion of the passphrase, and I would have to enter
> the last few characters (say, a 4 digit PIN-like code) by hand each
> time. This way I can have a complex non-bruteforceable passphrase that
> I can store on my trusted cellphone plus something that protects me
> for a while if my cellphone gets stolen. It's still a dirty hack tho.

The math of that sounds a bit hard...
You're talking about OTPW, not OPIE, is it?

(...)
> Again, encryption will not stop a keylogger on an untrusted
> computer. Everything is still clear text until it's written into the
> SSL/SSH socket. And it's not exactly difficult or super expensive to
> install: http://www.amazon.com/dp/B004IA69YE

Well a device like that would catch me any time (hackers, welcome!),
even when I use OPIE (because I don't use a separate device, a cell
phone).
Somewhere we have to draw a line, and my line is there. But when I look
around me, to my physical/social environment, I feel pretty confident. I
guess the most real risk I face is someone pointing a knife at me...


My problem with passwords, even passwords generated by dd if=/dev/random
bs=6 count=1 | base64, is seeing dozens, sometimes hundreds of login
attempts per day at any SSH server I open. Even though they're stupid
attempts, which don't even guess a valid username (which is pretty easy,
let me tell you), they make me feel that an 8 random character password
can be guessed by accident.
In my physical environment, I don't see the slightest threat (at least
not one which does not involve knives).


-- 
Miguel Ramos <mbox at miguel.ramos.name>
PGP A006A14C

More information about the freebsd-security mailing list