From owner-freebsd-security@FreeBSD.ORG Sun Mar 13 21:06:54 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2EE62106566B for ; Sun, 13 Mar 2011 21:06:54 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id F1A818FC14 for ; Sun, 13 Mar 2011 21:06:53 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 919EF59400C; Sun, 13 Mar 2011 14:06:41 -0700 (PDT) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Sun, 13 Mar 2011 14:06:40 -0700 (PDT) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2DL6Jlo006072; Sun, 13 Mar 2011 21:06:20 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2DL6Ir9006070; Sun, 13 Mar 2011 21:06:18 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: Peter Jeremy In-Reply-To: <20110313204054.GA5392@server.vk2pj.dyndns.org> References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> <1299798547.20831.59.camel@w500.local> <20110313204054.GA5392@server.vk2pj.dyndns.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Sun, 13 Mar 2011 21:06:17 +0000 Message-ID: <1300050377.5900.12.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 5712.4d7d31e0.b550c.0 Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Mar 2011 21:06:54 -0000 Seg, 2011-03-14 =C3=A0s 07:40 +1100, Peter Jeremy escreveu: > On 2011-Mar-10 23:09:07 +0000, Miguel Lopes Santos Ramos wrote: > >- The objection on S/KEY on that wiki page, that it's possible to > >compute all previous passwords, is a bit odd, since past passwords won't > >be used anymore. >=20 > One weakness of S/KEY and OPIE is that if an attacker finds the > password (response) for sequence N then they can trivially determine > the response for any sequence > N. This could occur if (eg) you have > a printout of OPIE keys and are just crossing them off (which was a > common recommendation prior to smart phones etc) - an attacker just > needs to memorise the lowest N and response. Ok, admittedly, it took me a while to see in what way that could be a weekness. It's a bit like hoping for a little remaining security after the password list was compromised. Personally, I would still prefer OPIE to OTPW. A calculator beats a list (for me). For instance, around here many banks provide little matrix cards from which they then ask for the numbers by row/column for access to some operations on home banking. Now, with banks, physical security matters. What do I do? None of the choices is good: if I hide the card, I can't use it... (obviously I encrypt the content with PGP and destroy the card). So, I think there's an elegance to the S/KEY solution that OTPW doesn't have. --=20 Miguel Ramos PGP A006A14C