From owner-freebsd-security@FreeBSD.ORG Thu Mar 10 23:09:35 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6FFF106566B for ; Thu, 10 Mar 2011 23:09:35 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id 985398FC1A for ; Thu, 10 Mar 2011 23:09:35 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id EA986594007; Thu, 10 Mar 2011 15:09:24 -0800 (PST) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Thu, 10 Mar 2011 15:09:24 -0800 (PST) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2AN9BIW021591; Thu, 10 Mar 2011 23:09:11 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2AN9AIW021590; Thu, 10 Mar 2011 23:09:10 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: Lionel Flandrin In-Reply-To: <20110310202653.GG9421@shame.svkt.org> References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Thu, 10 Mar 2011 23:09:07 +0000 Message-ID: <1299798547.20831.59.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 6492.4d795a24.ab202.0 Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 23:09:35 -0000 Qui, 2011-03-10 =C3=A0s 20:26 +0000, Lionel Flandrin escreveu: > On Thu, Mar 10, 2011 at 07:12:41PM +0000, Miguel Lopes Santos Ramos wrote= : > >=20 > > Thanks. I'll probably be looking into that sooner or latter. > >=20 > > However, OPIE, nobody cares about OPIE? >=20 > Hi, >=20 > I do care about OPIE, Thanks!! > but it has many shortcomings arguably more > critical than the one you're pointing out. What bothers me most is the > absence of a prefix password and the possibility that someone may > highjack my session if he's replaying my input and sends the \n before > I do. See the wikipedia page about OTPW[1] for a more detailed > explanation about that. OTPW is an alternative to OPIE that aims at > correcting these issues. Well, I had never heard of OTPW, thanks for the pointer. But I'm not concerned about those problems you mentioned: - As to the possibility of someone hijacking my session and sending \n before I do, I don't care for that because I only use SSH (the same comment would apply to your solution with https). That problem would be valid for cleartext sessions not encrypted with a session key. If someone can hijack my SSH session... hey, then all is lost in any case, the least I care about then is my password... - About prefix passwords, I just gave a quick read on that wikipedia page, but that seems to me important for the case where you take a list of passwords with you, and I wouldn't do that. And because OTPW is to be used like that, I don't think I would use it. I use OPIE when I have no other solution, I didn't take anything with me. At any moment, I download an OTP calculator and log in. If I'm supposed to carry anything, I'll prefer to carry an SSH key, a lot safer. - The objection on S/KEY on that wiki page, that it's possible to compute all previous passwords, is a bit odd, since past passwords won't be used anymore. - That S/KEY uses small english words actually helps a lot. > I'd try to install and configure OTPW on my server to replace OPIE, > but it's not in the ports and I don't know PAM well enough to try and > mess with it, I would probably end up opening more security holes than > I'm fixing. >=20 > Since these days many of us use cell phones where it's easy to write > and distribute challenge/response generators I don't understand why > there seems to be so little interest in developing and improving one > time passwords solutions (including for websites, I wonder how many > facebook/twitter/whatever accounts I could steal by putting keyloggers > in an internet cafe). One time passwords made the most sense with insecure connections. Over a secure session, such as ssh or https, in principle, a strong password is just as strong. One time passwords add no security if in the end all amounts to a brute force attack. However, to me, in practice, they do add security, because: - One time passwords lead to a larger search space, unless when compared to random passwords. Random passwords however end up having to be written in something that must be carried. - Obviously, it's an additional layer of security that the attacker would have to be aware of (even though this counts as zero). - One time passwords don't get compromised as easily, because you would have to be really foolish to use your passphrase anywhere else or write it down. So, it really is questionable if they are any better in the world of encrypted connections. > I would gladly look into it myself but the subject is so security > critical that I'm a little put off. If one of you knows of a project > working on improving or replacing OPIE, I would gladly look into it > and try to contribute if I can. Maybe this project _is_ OTPW? Why > isn't it in the ports yet when the Wikipedia article claims it > supports FreeBSD? Has anyone here tried it? >=20 > As for OpenVPN, it is a really good piece of software and you should > have a look at it, but I can imagine scenarios where a one time > password would be better suited than a complete VPN setup (For > instance I use OPIE and shellinabox[2] over HTTPS to connect to my > server from anywhere I can find a web browser, no need to install any > additional software). >=20 > [1] https://secure.wikimedia.org/wikipedia/en/wiki/OTPW > [2] https://code.google.com/p/shellinabox/ >=20 > Cheers, Thanks for the pointers. That shellinabox is really cool. However, to me it's a lot easier to setup OpenSSH than it is to setup an https web server. I don't mind having to install PuTTY or FileZilla once a week, I already can navigate Simon Tatham's home page blindfolded. Regards, --=20 Miguel Ramos PGP A006A14C