Date: Sun, 5 Aug 2001 11:58:03 -0700 From: Bill Fenner <fenner@research.att.com> To: freebsd-security@freebsd.org Subject: Opie and protecting passphrases Message-ID: <200108051858.LAA15976@windsor.research.att.com>
next in thread | raw e-mail | index | archive | help
I'd like to start a discussion on the subject of protecting passphrases. Opie tries really hard to protect the user from typing their passphrase over an insecure connection; any time you run programs like opiekey or opiepasswd they say: Reminder: Don't use opiekey from telnet or dial-in sessions. If they think that you are not using a secure session, they say: Sorry, but you don't seem to be on the console or a secure terminal. and do not prompt for the pass phrase. There is an "-f" flag to override this check, but it's not enabled by the FreeBSD build: nectar% otp-md5 -f 1 nanny Sorry, but the -f option is not supported by this build of OPIE. I'd like to enable opie's "INSECURE_OVERRIDE" by default in FreeBSD. My reasoning is that: a) opie uses heuristics, which can't always be right. b) The heuristics can be fooled, so they are not a panacea even if they're usually right. c) the default behavior continues to be that the user is not prompted for the passphrase; INSECURE_OVERRIDE only allows specifying the "-f" flag. d) Other parts of the system, like ssh, make no attempt to protect the user from typing a passphrase over an insecure connection. See PR bin/23203: http://www.freebsd.org/cgi/query-pr.cgi?pr=23203 for more details. Thanks for any thoughts, Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108051858.LAA15976>