From owner-cvs-all Mon Aug 6 7: 9:56 2001 Delivered-To: cvs-all@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 78C0737B405; Mon, 6 Aug 2001 07:09:49 -0700 (PDT) (envelope-from ache@nagual.pp.ru) Received: (from ache@localhost) by nagual.pp.ru (8.11.4/8.11.4) id f76E9Qk59328; Mon, 6 Aug 2001 18:09:26 +0400 (MSD) (envelope-from ache) Date: Mon, 6 Aug 2001 18:09:21 +0400 From: "Andrey A. Chernov" To: Mark Murray Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libopie Makefile Message-ID: <20010806180917.A59047@nagual.pp.ru> References: <20010806002848.B47300@nagual.pp.ru> <200108061014.f76AEdZ07896@grimreaper.grondar.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200108061014.f76AEdZ07896@grimreaper.grondar.za> User-Agent: Mutt/1.3.19i Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Aug 06, 2001 at 11:14:39 +0100, Mark Murray wrote: > > Nowdays all machines used as servers with rare console access, it means > > that most connections are remote connections, and it means that > > _by_default_ OPIE must assume this variant. And for admins which don't > > trust any remote connection we can have just opposite option. > > I understand that - but remember that the OPIE design idea is that the > key calculator runs on the _client_ side. If other things don't work > remotely, then that needs fixing. No. 1) Key calculator (opiekey) runs _anywhere_ (not on _client_ side only), it is just calculator, no system files used, there are even CGI-based implementations on the Web (so, restricting -f leads to bad results as 'unofficial' opiekeys, moreover, if you restrict in in one place, f.e. in SSH connection, you force users to use even less secured variants like Web-based implementations which leads to more disclosure). 2) OPIE passwords are expired after some number of usage and must allow quick change in case secret phrase becomes known (f.e. asking admin to change password each time by email weakens security). It means you can't run 'opiepasswd' on _client_ side, only on side where passwords stored, i.e. _server_ side, which suppose remote connection at least or console access (later is rare nowdays). -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message