It's not possible to allow non-OPIE logins only from trusted
networks
Dag-Erling Smørgrav
des at des.no
Tue Mar 15 10:43:26 UTC 2011
Miguel Lopes Santos Ramos <mbox at miguel.ramos.name> writes:
> Ok, admittedly, it took me a while to see in what way that could be a
> weekness. It's a bit like hoping for a little remaining security after
> the password list was compromised.
OPIE is not designed to protect against a stolen password list; it is
designed to protect against replay attacks.
With a key calculator, there is no password list to steal - but you need
to make sure that nobody can sniff or shoulder-surf the password you
type into the calculator. I know of at least one Java ME key calculator
that will run on most Java-enabled smartphones. Unfortunately for Apple
otakus, this does not include the iPhone, but the good news is that they
can get a real phone for considerably less money.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list