It's not possible to allow non-OPIE logins only from trusted
networks
Peter Jeremy
peterjeremy at acm.org
Sun Mar 13 22:07:30 UTC 2011
On 2011-Mar-10 23:09:07 +0000, Miguel Lopes Santos Ramos <mbox at miguel.ramos.name> wrote:
>- The objection on S/KEY on that wiki page, that it's possible to
>compute all previous passwords, is a bit odd, since past passwords won't
>be used anymore.
One weakness of S/KEY and OPIE is that if an attacker finds the
password (response) for sequence N then they can trivially determine
the response for any sequence > N. This could occur if (eg) you have
a printout of OPIE keys and are just crossing them off (which was a
common recommendation prior to smart phones etc) - an attacker just
needs to memorise the lowest N and response.
--
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110313/d86be1cf/attachment.pgp
More information about the freebsd-security
mailing list