From owner-freebsd-security@FreeBSD.ORG Sat Mar 12 22:15:29 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A610F1065670 for ; Sat, 12 Mar 2011 22:15:29 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id 772438FC13 for ; Sat, 12 Mar 2011 22:15:29 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 00602594010; Sat, 12 Mar 2011 14:15:18 -0800 (PST) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Sat, 12 Mar 2011 14:15:18 -0800 (PST) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2CMF5lm012961; Sat, 12 Mar 2011 22:15:05 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2CMF1Dq012959; Sat, 12 Mar 2011 22:15:01 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: Lionel Flandrin In-Reply-To: <20110312121200.GJ9421@shame.svkt.org> References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> <1299798547.20831.59.camel@w500.local> <20110312121200.GJ9421@shame.svkt.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Sat, 12 Mar 2011 22:15:01 +0000 Message-ID: <1299968101.12752.16.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 2236.4d7bf076.956d3.0 Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Mar 2011 22:15:29 -0000 S=C3=A1b, 2011-03-12 =C3=A0s 12:12 +0000, Lionel Flandrin escreveu: (...) > Even with SSH/HTTPS you're at risk if someone hijacks your session not > by man-in-the-middle'ing your network connection but by using a > keylogger directly on your guest OS or even on your USB port. (...) > By the way, I'm working on a dirty hack right now that would in effect > give me that: I plan to modify the OTP calculator I use so that it > would save only a portion of the passphrase, and I would have to enter > the last few characters (say, a 4 digit PIN-like code) by hand each > time. This way I can have a complex non-bruteforceable passphrase that > I can store on my trusted cellphone plus something that protects me > for a while if my cellphone gets stolen. It's still a dirty hack tho. The math of that sounds a bit hard... You're talking about OTPW, not OPIE, is it? (...) > Again, encryption will not stop a keylogger on an untrusted > computer. Everything is still clear text until it's written into the > SSL/SSH socket. And it's not exactly difficult or super expensive to > install: http://www.amazon.com/dp/B004IA69YE Well a device like that would catch me any time (hackers, welcome!), even when I use OPIE (because I don't use a separate device, a cell phone). Somewhere we have to draw a line, and my line is there. But when I look around me, to my physical/social environment, I feel pretty confident. I guess the most real risk I face is someone pointing a knife at me... My problem with passwords, even passwords generated by dd if=3D/dev/random bs=3D6 count=3D1 | base64, is seeing dozens, sometimes hundreds of login attempts per day at any SSH server I open. Even though they're stupid attempts, which don't even guess a valid username (which is pretty easy, let me tell you), they make me feel that an 8 random character password can be guessed by accident. In my physical environment, I don't see the slightest threat (at least not one which does not involve knives). --=20 Miguel Ramos PGP A006A14C