Date: Tue, 18 Jun 2019 09:02:17 -0400 From: Robert Simmons <rsimmons0@gmail.com> To: Victor Sudakov <vas@mpeks.tomsk.su> Cc: freebsd-security@freebsd.org Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator Message-ID: <CA%2BQLa9AkOwM14nxgXmmiH8TFewaT6HGjq7vzRQ5u4YNFNh-W-w@mail.gmail.com> In-Reply-To: <20190618075954.GA30296@admin.sibptus.ru> References: <20190618075954.GA30296@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Victor, To throw a new wrinkle in the equation: Google Authenticator codes can be intercepted by a phishing page. U2F protocol is even better, and can't be intercepted via phishing. There are U2F libraries in ports. https://en.wikipedia.org/wiki/Universal_2nd_Factor Cheers, Rob On Tue, Jun 18, 2019, 04:01 Victor Sudakov <vas@mpeks.tomsk.su> wrote: > Dear Colleagues, > > I've used OPIE for many years (and S/Key before that) to login to my > system from untrusted terminals (cafes, libraries etc). > > Now I've read an opinion that OPIE is outdated (and indeed its upstream > distribution is gone) and that pam_google_authenticator would be more > secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237270 > > Is that truly so? With 20 words in OPIE and only 6 digits in > pam_google_authenticator, how strong is pam_google_authenticator against > brute force and other attacks? > > > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > 2:5005/49@fidonet http://vas.tomsk.ru/ >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BQLa9AkOwM14nxgXmmiH8TFewaT6HGjq7vzRQ5u4YNFNh-W-w>