Date: Sat, 12 Mar 2011 22:15:01 +0000 From: Miguel Lopes Santos Ramos <mbox@miguel.ramos.name> To: Lionel Flandrin <simias.n@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks Message-ID: <1299968101.12752.16.camel@w500.local> In-Reply-To: <20110312121200.GJ9421@shame.svkt.org> References: <1299682310.17149.24.camel@w500.local> <alpine.BSF.2.00.1103100147350.1891@qvfongpu.qngnvk.ybpny> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> <1299798547.20831.59.camel@w500.local> <20110312121200.GJ9421@shame.svkt.org>
index | next in thread | previous in thread | raw e-mail
Sáb, 2011-03-12 às 12:12 +0000, Lionel Flandrin escreveu: (...) > Even with SSH/HTTPS you're at risk if someone hijacks your session not > by man-in-the-middle'ing your network connection but by using a > keylogger directly on your guest OS or even on your USB port. (...) > By the way, I'm working on a dirty hack right now that would in effect > give me that: I plan to modify the OTP calculator I use so that it > would save only a portion of the passphrase, and I would have to enter > the last few characters (say, a 4 digit PIN-like code) by hand each > time. This way I can have a complex non-bruteforceable passphrase that > I can store on my trusted cellphone plus something that protects me > for a while if my cellphone gets stolen. It's still a dirty hack tho. The math of that sounds a bit hard... You're talking about OTPW, not OPIE, is it? (...) > Again, encryption will not stop a keylogger on an untrusted > computer. Everything is still clear text until it's written into the > SSL/SSH socket. And it's not exactly difficult or super expensive to > install: http://www.amazon.com/dp/B004IA69YE Well a device like that would catch me any time (hackers, welcome!), even when I use OPIE (because I don't use a separate device, a cell phone). Somewhere we have to draw a line, and my line is there. But when I look around me, to my physical/social environment, I feel pretty confident. I guess the most real risk I face is someone pointing a knife at me... My problem with passwords, even passwords generated by dd if=/dev/random bs=6 count=1 | base64, is seeing dozens, sometimes hundreds of login attempts per day at any SSH server I open. Even though they're stupid attempts, which don't even guess a valid username (which is pretty easy, let me tell you), they make me feel that an 8 random character password can be guessed by accident. In my physical environment, I don't see the slightest threat (at least not one which does not involve knives). -- Miguel Ramos <mbox@miguel.ramos.name> PGP A006A14Chelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1299968101.12752.16.camel>