From owner-cvs-all  Sat Jan 19  6:44:39 2002
Delivered-To: cvs-all@freebsd.org
Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42])
	by hub.freebsd.org (Postfix) with ESMTP
	id 68CCF37B404; Sat, 19 Jan 2002 06:44:30 -0800 (PST)
Received: (from ache@localhost)
	by nagual.pp.ru (8.11.6/8.11.6) id g0JEiQi10123;
	Sat, 19 Jan 2002 17:44:26 +0300 (MSK)
	(envelope-from ache)
Date: Sat, 19 Jan 2002 17:44:25 +0300
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Mark Murray <mark@grondar.za>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libpam/modules/pam_opie pam_opie.c
Message-ID: <20020119144424.GD9803@nagual.pp.ru>
References: <20020119105418.GA7683@nagual.pp.ru> <200201191415.g0JEFQt21503@grimreaper.grondar.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200201191415.g0JEFQt21503@grimreaper.grondar.org>
User-Agent: Mutt/1.3.24i
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Sat, Jan 19, 2002 at 14:15:26 +0000, Mark Murray wrote:

> There are lots of ways to do it. One way is to hash on the month
> and the uid or username of the account being attacked. This will
> change on midnight at the end of the month, but that exposes very
> little.

And hacker will check you at the end of the month, (remember, open 
sources). He can check even several users and if they change their numbers 
in one time, he understand how real they are. The longer way you keep 
hacker analyzing the more complex code is needed.

BTW, all this is not related to currently removed code which sucks in 
anycase.

> > may cause not user confusion only but seriosly affects protocols which not
> > expect them.
> 
> If the protocol is not expecting them, but the user has them enabled, you
> have a problem anyway.

No. After my changes you can enable OPIE for specific user which needs it
but not enable for automated user which not needs it.

-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message