Dan Langille
2019-Jun-18 13:07 UTC
Untrusted terminals: OPIE vs security/pam_google_authenticator
> On Jun 18, 2019, at 9:02 AM, Robert Simmons <rsimmons0 at gmail.com> wrote: > > On Tue, Jun 18, 2019, 04:01 Victor Sudakov <vas at mpeks.tomsk.su> wrote: > >> Dear Colleagues, >> >> I've used OPIE for many years (and S/Key before that) to login to my >> system from untrusted terminals (cafes, libraries etc). >> >> Now I've read an opinion that OPIE is outdated (and indeed its upstream >> distribution is gone) and that pam_google_authenticator would be more >> secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237270 >> >> Is that truly so? With 20 words in OPIE and only 6 digits in >> pam_google_authenticator, how strong is pam_google_authenticator against >> brute force and other attacks?> Victor, > > To throw a new wrinkle in the equation: Google Authenticator codes can be > intercepted by a phishing page. U2F protocol is even better, and can't be > intercepted via phishing. > > There are U2F libraries in ports. > > https://en.wikipedia.org/wiki/Universal_2nd_Factor > > Cheers, > Rob >If my Google Authenticator codes are on my phone, and I'm entering them into my ssh session, how is a phishing page involved? ? Dan Langille http://langille <http://langille/>.org/
Robert Simmons
2019-Jun-18 13:09 UTC
Untrusted terminals: OPIE vs security/pam_google_authenticator
You are correct for SSH. On Tue, Jun 18, 2019, 09:07 Dan Langille <dan at langille.org> wrote:> On Jun 18, 2019, at 9:02 AM, Robert Simmons <rsimmons0 at gmail.com> wrote: > > On Tue, Jun 18, 2019, 04:01 Victor Sudakov <vas at mpeks.tomsk.su> wrote: > > Dear Colleagues, > > I've used OPIE for many years (and S/Key before that) to login to my > system from untrusted terminals (cafes, libraries etc). > > Now I've read an opinion that OPIE is outdated (and indeed its upstream > distribution is gone) and that pam_google_authenticator would be more > secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237270 > > Is that truly so? With 20 words in OPIE and only 6 digits in > pam_google_authenticator, how strong is pam_google_authenticator against > brute force and other attacks? > > > Victor, > > To throw a new wrinkle in the equation: Google Authenticator codes can be > intercepted by a phishing page. U2F protocol is even better, and can't be > intercepted via phishing. > > There are U2F libraries in ports. > > https://en.wikipedia.org/wiki/Universal_2nd_Factor > > Cheers, > Rob > > > > If my Google Authenticator codes are on my phone, and I'm entering them > into my ssh session, how is a phishing page involved? > > ? > Dan Langille > http://langille.org/ > > > > > >