From owner-freebsd-security Fri Mar 26 18:47: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34]) by hub.freebsd.org (Postfix) with ESMTP id 3253714D75 for ; Fri, 26 Mar 1999 18:47:05 -0800 (PST) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id VAA14713; Fri, 26 Mar 1999 21:46:40 -0500 (EST) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14076.18063.704725.905099@trooper.velocet.ca> Date: Fri, 26 Mar 1999 21:46:39 -0500 (EST) To: Frank Tobin Cc: FreeBSD-security Mailing List Subject: Re: sudo (was Re: Kerberos vs SSH) In-Reply-To: References: X-Mailer: VM 6.62 under Emacs 19.34.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Frank" == Frank Tobin writes: Frank> A decent way to get to prevent such attacks is to allow the use Frank> only S/Key one-time passwords when a person sudo's (or even Frank> logs in via any unencrypted means). I'm not sure how this Frank> would be accomplished, but I'd be surprised if it couldn't be Frank> done. I took a stab at forcing this right around the 3.0 release. I found that I couldn't quite force it. There were things in login.conf that sounded like they were meant to do this, but the actual /bin/login program has a lot of code commented out of it. I eventually gave up. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message