From owner-freebsd-security@freebsd.org Tue Jun 18 07:59:57 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88EF715D2A11 for ; Tue, 18 Jun 2019 07:59:57 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 90C2496CF9 for ; Tue, 18 Jun 2019 07:59:56 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=Message-ID:Subject:To:From:Date:In-Reply-To; bh=uyOFyxjNS54dGyny4sv54y6C9iu5iZ3JHZBok49mPcY=; b=EOHZSXA7PhaEwBinfJ1/FcQ4sE 26nntcGrObgT5zv1du243wkG7SUYlFLlJyj7CggWxNxPWCZYb9IbmngAvDFE/tpshaiB9I7oTWk6f mmdQEEgIdK6DNli/uvTD3r92ij8ZOaoSZ1cElSOx6CtXFYbqpWLo6iY+sE3YFTt1ZBrU=; Received: from vas by admin.sibptus.ru with local (Exim 4.92 (FreeBSD)) (envelope-from ) id 1hd922-0007wD-HS for freebsd-security@freebsd.org; Tue, 18 Jun 2019 14:59:54 +0700 Date: Tue, 18 Jun 2019 14:59:54 +0700 From: Victor Sudakov To: freebsd-security@freebsd.org Subject: Untrusted terminals: OPIE vs security/pam_google_authenticator Message-ID: <20190618075954.GA30296@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.0 (2019-05-25) Sender: Victor Sudakov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 07:59:57 -0000 --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear Colleagues, I've used OPIE for many years (and S/Key before that) to login to my system from untrusted terminals (cafes, libraries etc). Now I've read an opinion that OPIE is outdated (and indeed its upstream distribution is gone) and that pam_google_authenticator would be more secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237270 Is that truly so? With 20 words in OPIE and only 6 digits in pam_google_authenticator, how strong is pam_google_authenticator against brute force and other attacks? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJdCJn6AAoJEA2k8lmbXsY0s/kH/iNPltrNpBrEdkUD7QYGH1md 1+go/ubYfs3Vnx7Irvu8oBt2eN82iBWyEF8x4K6WuGy2zbxM8VBJXoWKTwlhIjf7 8nGoxhowlJUaov17PClGy/R9meX+Z8cuwtUkwHhLS0FzaobExB7Ibf7eqCdZxoQx GCRluUtGrtOAw073Bxi8iJ5epZJyHmnWHSCABwSegvaZUv+w2Sa9olH6TI3waWIt Jx+oiTPb5CbwsEDjJwH/wxe7yRru25/ahpyEJaDdAq15UOYGzS56yIN+e1KtqHGS ln/k7Z220bXwOXWs1XdBUGWWVnpTVcRfG0eEq33RVYn0SGinkad0g5l8lwTgc0Q= =lbaj -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7--