Untrusted terminals: OPIE vs security/pam_google_authenticator
Victor Sudakov
vas at mpeks.tomsk.su
Wed Jun 19 02:05:15 UTC 2019
Robert Simmons wrote:
>
> To throw a new wrinkle in the equation: Google Authenticator codes can be
> intercepted by a phishing page.
In my case, no page is involved, just the FreeOTP app on my Android
phone (which is less convenient than a sheet of paper with OPIE
passwords, but I can live with that).
> U2F protocol is even better, and can't be
> intercepted via phishing.
>
> There are U2F libraries in ports.
>
> https://en.wikipedia.org/wiki/Universal_2nd_Factor
U2F (and Yubikey) require purchase of hardware devices. In this sense,
they are not replacements for OPIE, which is a pure software solution.
Back to my original question.
1. Is it safe to keep OPIE in the base system? Its upstream project
is gone. It is not IPv6 ready. It uses MD5.
2. If OPIE is not safe anymore, which is a good software replacement?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190619/0958f99c/attachment.sig>
More information about the freebsd-security
mailing list