From owner-freebsd-security Wed Jun 19 2:40:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id ABB6737B40F for ; Wed, 19 Jun 2002 02:39:53 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 1D2CA5361; Wed, 19 Jun 2002 11:39:51 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Ryan Thompson Cc: freebsd-security@freebsd.org Subject: Re: Password security References: <20020618204711.I65632-100000@ren.sasknow.com> From: Dag-Erling Smorgrav Date: 19 Jun 2002 11:39:51 +0200 In-Reply-To: <20020618204711.I65632-100000@ren.sasknow.com> Message-ID: Lines: 15 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ryan Thompson writes: > So, given the limitations of remote access (from machines assumed to > be insecure), and some fairly dumb Windows clients, what are some > solutions to password security? You need a challenge/response-based authentication mechanism. If your users all have PDAs, you can use OPIE (provided you can find or write an OPIE calculator that will run on their PDAs); or you can use CRYPTOCard tokens. The server software runs on Windows and Linux (I'm working on getting the Linux version to run on FreeBSD); all you need on the FreeBSD side is pam_radius. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message