Date: Mon, 2 Mar 2009 13:30:34 -0800 From: David Wolfskill <david@catwhisker.org> To: Chris Palmer <chris@noncombatant.org> Cc: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure Message-ID: <20090302213034.GM65706@albert.catwhisker.org> In-Reply-To: <20090302211932.GZ5602@noncombatant.org> References: <20090302021415.GU5602@noncombatant.org> <200903021410.00093.mail@maxlor.com> <20090302021415.GU5602@noncombatant.org> <87sklwiptp.fsf@jehiel.elehack.net> <20090302211932.GZ5602@noncombatant.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--bIUMYB+SOIcERsee Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 02, 2009 at 01:19:32PM -0800, Chris Palmer wrote: > ... > Benjamin Lutz writes: >=20 > > Because the inconvience of not using whatever service or data the serve= r is=20 > > providing is considered greater than the security risk. >=20 > But isn't regular password authentication the most convenient of all? Not in my experience, no. I configure ~/.xsession to run "eval `ssh-agent`" and "ssh-add" very early, so all processes run under that environment get the benefit of the cached authentication credentials I thus set up. Then I can login to most machines I care about directly, without requiring additional authentication. To me, that's far more convenient than ensuring that I'm around & paying attention whenever some random process (e.g., a CVS update) wants a password. And I strongly suspect that it's better security than a password. For my externally-visible sshd, there's no way I'd use a reusable password for authentication. As things presently stand, I only permit SSH public key authentication for that use. > ... Peace, david --=20 David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --bIUMYB+SOIcERsee Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkmsT/kACgkQmprOCmdXAD2ivQCeKB6/L0JQU62x1DEwVJOF12Wk hj8Anjb+SjyCQqCBUCjHuiGDCk2XPyeo =lFaY -----END PGP SIGNATURE----- --bIUMYB+SOIcERsee--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090302213034.GM65706>