From owner-freebsd-security@FreeBSD.ORG Tue Mar 15 10:43:26 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95367106564A for ; Tue, 15 Mar 2011 10:43:26 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4F3FA8FC0C for ; Tue, 15 Mar 2011 10:43:26 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 63B441FFC33; Tue, 15 Mar 2011 10:43:25 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 2CCF1844B0; Tue, 15 Mar 2011 11:43:25 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Miguel Lopes Santos Ramos References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> <1299798547.20831.59.camel@w500.local> <20110313204054.GA5392@server.vk2pj.dyndns.org> <1300050377.5900.12.camel@w500.local> Date: Tue, 15 Mar 2011 11:43:25 +0100 In-Reply-To: <1300050377.5900.12.camel@w500.local> (Miguel Lopes Santos Ramos's message of "Sun, 13 Mar 2011 21:06:17 +0000") Message-ID: <86ei68y88i.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2011 10:43:26 -0000 Miguel Lopes Santos Ramos writes: > Ok, admittedly, it took me a while to see in what way that could be a > weekness. It's a bit like hoping for a little remaining security after > the password list was compromised. OPIE is not designed to protect against a stolen password list; it is designed to protect against replay attacks. With a key calculator, there is no password list to steal - but you need to make sure that nobody can sniff or shoulder-surf the password you type into the calculator. I know of at least one Java ME key calculator that will run on most Java-enabled smartphones. Unfortunately for Apple otakus, this does not include the iPhone, but the good news is that they can get a real phone for considerably less money. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no