Date: Mon, 6 Aug 2001 00:18:07 +0400 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Bill Fenner <fenner@research.att.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Opie and protecting passphrases Message-ID: <20010806001807.A47300@nagual.pp.ru> In-Reply-To: <200108051858.LAA15976@windsor.research.att.com> References: <200108051858.LAA15976@windsor.research.att.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 05, 2001 at 11:58:03 -0700, Bill Fenner wrote: > > I'd like to enable opie's "INSECURE_OVERRIDE" by default in FreeBSD. I too. We can add just opposite option for admins which don't trust any remote connection. Since nowdays most machines are servers with even no regular console access, remote OPIE usage should be preferred and default. > My reasoning is that: > a) opie uses heuristics, which can't always be right. Moreover, this heuristics not covers many secure connection schemes like SSH, SRA Telnet, Kerberos, etc. It means that current OPIE effectively prevents user to use secure connection in regular way. F.e. if his password count goes to zero, with current variant he must ask sysadmin each time to change it since opiepasswd don't know anything about his secure connection and refuses to run. Even running OPIE on console currently have problems too, because you can't use things like 'screen'. > b) The heuristics can be fooled, so they are not a panacea even if they're > usually right. Yes. F.e. for opiekey -f restriction leads to re-compiled (-f enabled) unofficial opiekey distribution from users community (since opiekey don't use s-bit and protected files, it is just calculator). > d) Other parts of the system, like ssh, make no attempt to protect the > user from typing a passphrase over an insecure connection. Moreover, previous SKEY library which OPIE tries to replace now have all this things enabled, so we need to enable them for compatibility reasons too. I want to add a word about /etc/opieaccess too which is replacement for former /etc/skey.access and contains trusted network numbers. This file parsing must be enabled (compiled in) by default too for compatiility reasons and various purposes like FTP tunneling via SSH (on single machine without any trusted networks). -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010806001807.A47300>