From owner-cvs-all  Sat Jan 19  8:29:58 2002
Delivered-To: cvs-all@freebsd.org
Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.139.170])
	by hub.freebsd.org (Postfix) with ESMTP
	id 140AF37B402; Sat, 19 Jan 2002 08:29:38 -0800 (PST)
Received: (from uucp@localhost)
	by storm.FreeBSD.org.uk (8.11.6/8.11.6) with UUCP id g0JGTBN26700;
	Sat, 19 Jan 2002 16:29:11 GMT
	(envelope-from mark@grondar.za)
Received: from grondar.za (mark@localhost [127.0.0.1])
	by grimreaper.grondar.org (8.11.6/8.11.6) with ESMTP id g0JGTkt22254;
	Sat, 19 Jan 2002 16:29:46 GMT
	(envelope-from mark@grondar.za)
Message-Id: <200201191629.g0JGTkt22254@grimreaper.grondar.org>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: Kris Kennaway <kris@obsecurity.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libpam/modules/pam_opie pam_opie.c 
References: <20020119145947.GF9803@nagual.pp.ru> 
In-Reply-To: <20020119145947.GF9803@nagual.pp.ru> ; from "Andrey A. Chernov" <ache@nagual.pp.ru>  "Sat, 19 Jan 2002 17:59:47 +0300."
Date: Sat, 19 Jan 2002 16:29:46 +0000
From: Mark Murray <mark@grondar.za>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

> On Sat, Jan 19, 2002 at 14:21:50 +0000, Mark Murray wrote:
> > > We already live with this "change" several years when S/Key was here and
> > > nobody complaints. This is not a change, this is return to old way as it
> > > must be.
> > 
> > One of the reasons I went for OPIE was to get away from S/Key brokenness.
> 
> What brokenness do you mean, exactly? There basically just the same idea
> in OPIE, only OTP response format is changed which is enhancement and not
> brokennes fix. Many other OPIE "features" either _lowers_ security and
> should be never turned on (like LOCKING) or gains nothing for security,
> just make interface inconvinient. Some other (not so useful, but who
> knows) features like tty-level access is even removed in OPIE.

If the sysadmin turns on OPIE for a particular facility (like say, ftpd)
then there MUST be an OPIE challenge for all users (except perhaps root
and the anonymous user). That way, the external user gets much less info
about the internal security arrangements (like who is using OPIE, and who
may be using (insecure) unix passwords). The less you tell the attacker,
the better. If that means giving a bogus OPIE challenge for a user who
has no OPIE enables, then that is GOOD, because it gives the attacker
something bogus to chew on.

The fact that this may be open source is irrellevant. With the external
attacker, the contents of /etc/ are still partially protected.

M
-- 
o       Mark Murray
\_      FreeBSD Services Limited
O.\_    Warning: this .sig is umop ap!sdn

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message