From owner-freebsd-security Wed Jun 19 10: 2: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id F199C37B41B for ; Wed, 19 Jun 2002 10:01:40 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 03E965361; Wed, 19 Jun 2002 19:01:39 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: twig les Cc: Eric F Crist , 'Michael Sierchio' , 'Ryan Thompson' , freebsd-security@FreeBSD.ORG Subject: Re: Password security References: <20020619164844.42032.qmail@web10103.mail.yahoo.com> From: Dag-Erling Smorgrav Date: 19 Jun 2002 19:01:38 +0200 In-Reply-To: <20020619164844.42032.qmail@web10103.mail.yahoo.com> Message-ID: Lines: 18 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org twig les writes: > As for the initial problem... I would take the lazy > admin way out and upgrade the windoze SSH client to > one that uses keys AND passwds (like ssh.com). You > can give your users their key on a floppy with a > notepad file on how to install this client on their > home machine and where to put the key. That might be doable if you can somehow force users to pick good passphrases for their keys, but it doesn't defend against keyboard sniffing or a trojaned ssh client. I'd use OPIE, though you need a trusted, portable device (such as a PDA) for computing responses, otherwise someone could trojan your OPIE calculator and snarf your passphrase. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message