Victor Sudakov
2019-Jun-19 02:05 UTC
Untrusted terminals: OPIE vs security/pam_google_authenticator
Robert Simmons wrote:> > To throw a new wrinkle in the equation: Google Authenticator codes can be > intercepted by a phishing page.In my case, no page is involved, just the FreeOTP app on my Android phone (which is less convenient than a sheet of paper with OPIE passwords, but I can live with that).> U2F protocol is even better, and can't be > intercepted via phishing. > > There are U2F libraries in ports. > > https://en.wikipedia.org/wiki/Universal_2nd_FactorU2F (and Yubikey) require purchase of hardware devices. In this sense, they are not replacements for OPIE, which is a pure software solution. Back to my original question. 1. Is it safe to keep OPIE in the base system? Its upstream project is gone. It is not IPv6 ready. It uses MD5. 2. If OPIE is not safe anymore, which is a good software replacement? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49 at fidonet http://vas.tomsk.ru/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190619/0958f99c/attachment.sig>
Roger Marquis
2019-Jun-19 02:57 UTC
Untrusted terminals: OPIE vs security/pam_google_authenticator
> In my case, no page is involved, just the FreeOTP app on my Android > phone (which is less convenient than a sheet of paper with OPIE > passwords, but I can live with that).FreeOTP and FreeOTP+ are IMO the best OTP apps out there. They require no privacy invading "push" notifications and are open source. Just wish more sites would publish numeric codes instead of gimmicky QR codes. That said there are still plenty of us who also use OPIE. The passcodes are a solid T/HOTP fallback, aren't subject to seizure by border agents having a bad day, can be easily copied and stored on paper and have zero dependencies on 3rd parties. That's not to say that OPIE should be kept in base though. There's already way too much unused legacy cruft in FreeBSD base. Ports are the right tool for that job. But OPIE is still used, can be updated relatively easily, and should be kept somewhere accessible for security-conscious end-users. To eliminate it would only benefit those with commercial interests in proprietary and hosted (vendor lock-in) MFA solutions. IMO, Roger Marquis