Date: Wed, 19 Jun 2002 13:32:41 +0800 From: Calvin NG <calvinng@brel.com> To: Ryan Thompson <ryan@sasknow.com> Cc: Tom Rhodes <darklogik@pittgoth.com>, freebsd-security@FreeBSD.ORG Subject: Re: Password security Message-ID: <20020619133241.M73593@brel.com> In-Reply-To: <20020618230452.X74293-100000@ren.sasknow.com>; from ryan@sasknow.com on Tue, Jun 18, 2002 at 11:13:26PM -0600 References: <3D103A8A.2000503@pittgoth.com> <20020618230452.X74293-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings, if you are worried about insecured "access terminals/workstations", then you will be worried about sniffers on them. Password is out. S/Key has a higher chance of success, if you can give the user a secured way of calculating the password. The initialisation of the key can be done from a secured terminal, or at the console of your server, (under supervision), which I think we can assume is secured (right?). The passphrase can use your system for password, part of it in their head, the other part written down on a card. That left the secure entering of passphrase to generate the one time pass. Alternatively, you can generate 10 one-tine passwords at a time, for the user to carry around and use. And they come back to you to re-init/get the next 10 passwords. Yet another alternative, issue PDAs that has s/key calculators. Whatever. Well, I use s/key when I am travelling and need to have remote access. And I don't trust dial-ups, and terminals in internet-cafe or at the conference locations that much. Well, you know what I mean. Regards, /calvin lines with :> are quotes from Ryan Thompson's email :> :> Hi Tom, :> :> :> Tom Rhodes wrote to Ryan Thompson: :> :> > Ryan, :> > :> > Did you know that ssh supports keys? :> :> Yes. :-) :> :> The basic problem with public/private key encryption is the security :> and installation of the private key. I don't expect users to be able :> to properly secure their private key on insecure systems. :> :> :> > The method described above would also be wonderful to keep users :> > from accessing the system outside the workplace. :> :> Which is one of the main reasons it won't work, given that a fair :> percentage of our staff access the system from outside the workplace, :> :-) :> :> Thanks, :> - Ryan :> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020619133241.M73593>