From owner-freebsd-security@freebsd.org Wed Jun 19 03:42:58 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8FD9815D0AE3 for ; Wed, 19 Jun 2019 03:42:58 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0A4DE72A98 for ; Wed, 19 Jun 2019 03:42:58 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=M29JZyLug+DskaZViN3uGD4J8dOxQEXF73wTq9UbXP0=; b=B+gV1IEdf8PLHKI0BTaPtLYCF9 o9vFrnwXm69sPW8r1lqXQkB7pkMU3HrApaoE8qszNXdY3AsEAdbUe/eo99GMhbuUBDW8OqUGVnpDq qLJjz1pwJimBcvkt5n/1mW2A18qXcVI+viJxOzquweHUrZ0ik1rUuLUcm77Zx4SU+qZw=; Received: from vas by admin.sibptus.ru with local (Exim 4.92 (FreeBSD)) (envelope-from ) id 1hdRUv-000HVO-5d for freebsd-security@freebsd.org; Wed, 19 Jun 2019 10:42:57 +0700 Date: Wed, 19 Jun 2019 10:42:57 +0700 From: Victor Sudakov To: freebsd-security@freebsd.org Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator Message-ID: <20190619034257.GA67083@admin.sibptus.ru> References: <20190618075954.GA30296@admin.sibptus.ru> <20190619020512.GA64608@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Qxx1br4bt0+wmkIi" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.0 (2019-05-25) Sender: Victor Sudakov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 03:42:58 -0000 --Qxx1br4bt0+wmkIi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Roger Marquis wrote: > > In my case, no page is involved, just the FreeOTP app on my Android > > phone (which is less convenient than a sheet of paper with OPIE > > passwords, but I can live with that). >=20 > FreeOTP and FreeOTP+ are IMO the best OTP apps out there. They require > no privacy invading "push" notifications and are open source. =20 Would you rely on security/pam_google_authenticator+FreeOTP as the *single* authentication for ssh (not as an extra authentication factor)? In other words, as a "sufficient" PAM module? > Just wish > more sites would publish numeric codes instead of gimmicky QR codes. Oh, I love the QR codes google-authenticator generates in character-based terminals. Very stylish, and convenient to scan with the FreeOTP app. Do you know if there is a FreeOTP generator for the FreeBSD console, like /usr/bin/otp-md5 ? >=20 > That said there are still plenty of us who also use OPIE. The passcodes > are a solid T/HOTP fallback, aren't subject to seizure by border agents > having a bad day, can be easily copied and stored on paper and have zero > dependencies on 3rd parties. >=20 > That's not to say that OPIE should be kept in base though. There's > already way too much unused legacy cruft in FreeBSD base. Ports are the > right tool for that job. Is there a way to keep some software in ports, if the original project is dead? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --Qxx1br4bt0+wmkIi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJdCa9BAAoJEA2k8lmbXsY0ncgIAIp5HTggVhTDHpsww4ibnHY6 wHp96WhStUcmA6ARqbfgK79XtYreqCm/+Oeb2KSvYRigjAEk0rqicQbG9IAd/riX IBAxpX6tjVg3bl6jI33T4/dEX13hHz+vsSJIzQvwJsG9h8xBzHOWRSAKIyFM6nB9 iPl4Qs7Xb+dWfDj4uoSU7FKdnBKClrWDmJhNXSKVOKYx/inku277LxDU7W1cJthq Cthfo5D4o33NRs2no+HfxPxvzkpWs40pJJPwmF5UfSHhYett3bJXPRNbl0jWZ++B k80G/oPbPEy0hDW5w1W07uGNgKQPayA5V4MfCCpfnVLaDsxGAj4ypezmGfmwA2s= =rwJw -----END PGP SIGNATURE----- --Qxx1br4bt0+wmkIi--