Date: Thu, 10 Mar 2011 20:26:53 +0000 From: Lionel Flandrin <simias.n@gmail.com> To: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks Message-ID: <20110310202653.GG9421@shame.svkt.org> In-Reply-To: <1299784361.18199.4.camel@w500.local> References: <1299682310.17149.24.camel@w500.local> <alpine.BSF.2.00.1103100147350.1891@qvfongpu.qngnvk.ybpny> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local>
next in thread | previous in thread | raw e-mail | index | archive | help
--MPkR1dXiUZqK+927 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 10, 2011 at 07:12:41PM +0000, Miguel Lopes Santos Ramos wrote: >=20 > Qui, 2011-03-10 =E0s 19:20 +0100, Remko Lodder escreveu: > > > Yes, that's right. That would solve a whole lot of other problems too. > > > It's true that I'm using SSH in many cases just as an easy to adminis= ter > > > VPN. I've been postponing that for years. But I would need something > > > that worked with FreeBSD and Gentoo (don't want to learn two tools) a= nd > > > for any client. > >=20 > >=20 > >=20 > > so with the pfsense project we have this thing integrated that is calle= d OpenVPN. > > Hell, I use it between multiple FreeBSD boxes to create a 'secure' (quo= tes because > > it's as secure as possible in this world :)) network between them. I pu= shed it to my > > parents who are (sigh) using Windows, I use it from my Mac (Viscosity) = and hell > > it even works on Linux/Gentoo.. > >=20 > > And it's all.. free :-) > >=20 > > Cheers > > Remko >=20 > Thanks. I'll probably be looking into that sooner or latter. >=20 > However, OPIE, nobody cares about OPIE? Hi, I do care about OPIE, but it has many shortcomings arguably more critical than the one you're pointing out. What bothers me most is the absence of a prefix password and the possibility that someone may highjack my session if he's replaying my input and sends the \n before I do. See the wikipedia page about OTPW[1] for a more detailed explanation about that. OTPW is an alternative to OPIE that aims at correcting these issues. I'd try to install and configure OTPW on my server to replace OPIE, but it's not in the ports and I don't know PAM well enough to try and mess with it, I would probably end up opening more security holes than I'm fixing. Since these days many of us use cell phones where it's easy to write and distribute challenge/response generators I don't understand why there seems to be so little interest in developing and improving one time passwords solutions (including for websites, I wonder how many facebook/twitter/whatever accounts I could steal by putting keyloggers in an internet cafe). I would gladly look into it myself but the subject is so security critical that I'm a little put off. If one of you knows of a project working on improving or replacing OPIE, I would gladly look into it and try to contribute if I can. Maybe this project _is_ OTPW? Why isn't it in the ports yet when the Wikipedia article claims it supports FreeBSD? Has anyone here tried it? As for OpenVPN, it is a really good piece of software and you should have a look at it, but I can imagine scenarios where a one time password would be better suited than a complete VPN setup (For instance I use OPIE and shellinabox[2] over HTTPS to connect to my server from anywhere I can find a web browser, no need to install any additional software). [1] https://secure.wikimedia.org/wikipedia/en/wiki/OTPW [2] https://code.google.com/p/shellinabox/ Cheers, --=20 Lionel Flandrin --MPkR1dXiUZqK+927 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEAREKAAYFAk15NA0ACgkQlfFEoIrYgB0hvQCeJLYHQvOEBFGcD84GYU+gDtTc goYAn1z92dQw78VSvRfAZxWhbm2jR9zm =4L5B -----END PGP SIGNATURE----- --MPkR1dXiUZqK+927--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110310202653.GG9421>