Robert Simmons
2019-Jun-18 13:02 UTC
Untrusted terminals: OPIE vs security/pam_google_authenticator
Victor, To throw a new wrinkle in the equation: Google Authenticator codes can be intercepted by a phishing page. U2F protocol is even better, and can't be intercepted via phishing. There are U2F libraries in ports. https://en.wikipedia.org/wiki/Universal_2nd_Factor Cheers, Rob On Tue, Jun 18, 2019, 04:01 Victor Sudakov <vas at mpeks.tomsk.su> wrote:> Dear Colleagues, > > I've used OPIE for many years (and S/Key before that) to login to my > system from untrusted terminals (cafes, libraries etc). > > Now I've read an opinion that OPIE is outdated (and indeed its upstream > distribution is gone) and that pam_google_authenticator would be more > secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237270 > > Is that truly so? With 20 words in OPIE and only 6 digits in > pam_google_authenticator, how strong is pam_google_authenticator against > brute force and other attacks? > > > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > 2:5005/49 at fidonet http://vas.tomsk.ru/ >
Dan Langille
2019-Jun-18 13:07 UTC
Untrusted terminals: OPIE vs security/pam_google_authenticator
> On Jun 18, 2019, at 9:02 AM, Robert Simmons <rsimmons0 at gmail.com> wrote: > > On Tue, Jun 18, 2019, 04:01 Victor Sudakov <vas at mpeks.tomsk.su> wrote: > >> Dear Colleagues, >> >> I've used OPIE for many years (and S/Key before that) to login to my >> system from untrusted terminals (cafes, libraries etc). >> >> Now I've read an opinion that OPIE is outdated (and indeed its upstream >> distribution is gone) and that pam_google_authenticator would be more >> secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237270 >> >> Is that truly so? With 20 words in OPIE and only 6 digits in >> pam_google_authenticator, how strong is pam_google_authenticator against >> brute force and other attacks?> Victor, > > To throw a new wrinkle in the equation: Google Authenticator codes can be > intercepted by a phishing page. U2F protocol is even better, and can't be > intercepted via phishing. > > There are U2F libraries in ports. > > https://en.wikipedia.org/wiki/Universal_2nd_Factor > > Cheers, > Rob >If my Google Authenticator codes are on my phone, and I'm entering them into my ssh session, how is a phishing page involved? ? Dan Langille http://langille <http://langille/>.org/
Victor Sudakov
2019-Jun-19 02:05 UTC
Untrusted terminals: OPIE vs security/pam_google_authenticator
Robert Simmons wrote:> > To throw a new wrinkle in the equation: Google Authenticator codes can be > intercepted by a phishing page.In my case, no page is involved, just the FreeOTP app on my Android phone (which is less convenient than a sheet of paper with OPIE passwords, but I can live with that).> U2F protocol is even better, and can't be > intercepted via phishing. > > There are U2F libraries in ports. > > https://en.wikipedia.org/wiki/Universal_2nd_FactorU2F (and Yubikey) require purchase of hardware devices. In this sense, they are not replacements for OPIE, which is a pure software solution. Back to my original question. 1. Is it safe to keep OPIE in the base system? Its upstream project is gone. It is not IPv6 ready. It uses MD5. 2. If OPIE is not safe anymore, which is a good software replacement? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49 at fidonet http://vas.tomsk.ru/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190619/0958f99c/attachment.sig>