From owner-cvs-all  Mon Aug  6  7: 9:56 2001
Delivered-To: cvs-all@freebsd.org
Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42])
	by hub.freebsd.org (Postfix) with ESMTP
	id 78C0737B405; Mon,  6 Aug 2001 07:09:49 -0700 (PDT)
	(envelope-from ache@nagual.pp.ru)
Received: (from ache@localhost)
	by nagual.pp.ru (8.11.4/8.11.4) id f76E9Qk59328;
	Mon, 6 Aug 2001 18:09:26 +0400 (MSD)
	(envelope-from ache)
Date: Mon, 6 Aug 2001 18:09:21 +0400
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Mark Murray <mark@grondar.za>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libopie Makefile
Message-ID: <20010806180917.A59047@nagual.pp.ru>
References: <20010806002848.B47300@nagual.pp.ru> <200108061014.f76AEdZ07896@grimreaper.grondar.za>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200108061014.f76AEdZ07896@grimreaper.grondar.za>
User-Agent: Mutt/1.3.19i
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Mon, Aug 06, 2001 at 11:14:39 +0100, Mark Murray wrote:
> > Nowdays all machines used as servers with rare console access, it means
> > that most connections are remote connections, and it means that
> > _by_default_ OPIE must assume this variant. And for admins which don't
> > trust any remote connection we can have just opposite option.
> 
> I understand that - but remember that the OPIE design idea is that the
> key calculator runs on the _client_ side. If other things don't work
> remotely, then that needs fixing.

No.

1) Key calculator (opiekey) runs _anywhere_ (not on _client_ side only),
it is just calculator, no system files used, there are even CGI-based
implementations on the Web (so, restricting -f leads to bad results as
'unofficial' opiekeys, moreover, if you restrict in in one place, f.e. in
SSH connection, you force users to use even less secured variants like
Web-based implementations which leads to more disclosure).

2) OPIE passwords are expired after some number of usage and must allow
quick change in case secret phrase becomes known (f.e. asking admin to
change password each time by email weakens security). It means you can't
run 'opiepasswd' on _client_ side, only on side where passwords stored,
i.e. _server_ side, which suppose remote connection at least or console
access (later is rare nowdays).

-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message