Untrusted terminals: OPIE vs security/pam_google_authenticator
Victor Sudakov
vas at mpeks.tomsk.su
Wed Jun 19 03:42:58 UTC 2019
Roger Marquis wrote:
> > In my case, no page is involved, just the FreeOTP app on my Android
> > phone (which is less convenient than a sheet of paper with OPIE
> > passwords, but I can live with that).
>
> FreeOTP and FreeOTP+ are IMO the best OTP apps out there. They require
> no privacy invading "push" notifications and are open source.
Would you rely on security/pam_google_authenticator+FreeOTP as the
*single* authentication for ssh (not as an extra authentication factor)?
In other words, as a "sufficient" PAM module?
> Just wish
> more sites would publish numeric codes instead of gimmicky QR codes.
Oh, I love the QR codes google-authenticator generates in
character-based terminals. Very stylish, and convenient to scan with
the FreeOTP app.
Do you know if there is a FreeOTP generator for the FreeBSD console,
like /usr/bin/otp-md5 ?
>
> That said there are still plenty of us who also use OPIE. The passcodes
> are a solid T/HOTP fallback, aren't subject to seizure by border agents
> having a bad day, can be easily copied and stored on paper and have zero
> dependencies on 3rd parties.
>
> That's not to say that OPIE should be kept in base though. There's
> already way too much unused legacy cruft in FreeBSD base. Ports are the
> right tool for that job.
Is there a way to keep some software in ports, if the original project is
dead?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190619/14b7c650/attachment.sig>
More information about the freebsd-security
mailing list