From owner-freebsd-security@FreeBSD.ORG Sun Mar 13 22:07:30 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF073106566B for ; Sun, 13 Mar 2011 22:07:30 +0000 (UTC) (envelope-from peterjeremy@acm.org) Received: from fallbackmx07.syd.optusnet.com.au (fallbackmx07.syd.optusnet.com.au [211.29.132.9]) by mx1.freebsd.org (Postfix) with ESMTP id 419778FC14 for ; Sun, 13 Mar 2011 22:07:29 +0000 (UTC) Received: from mail16.syd.optusnet.com.au (mail16.syd.optusnet.com.au [211.29.132.197]) by fallbackmx07.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id p2DKfNmF004129 for ; Mon, 14 Mar 2011 07:41:23 +1100 Received: from server.vk2pj.dyndns.org (c220-239-116-103.belrs4.nsw.optusnet.com.au [220.239.116.103]) by mail16.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id p2DKfKVQ013772 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 14 Mar 2011 07:41:21 +1100 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.4/8.14.4) with ESMTP id p2DKf2IX064590; Mon, 14 Mar 2011 07:41:02 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.4/8.14.4/Submit) id p2DKevNi064587; Mon, 14 Mar 2011 07:41:01 +1100 (EST) (envelope-from peter) Date: Mon, 14 Mar 2011 07:40:56 +1100 From: Peter Jeremy To: Miguel Lopes Santos Ramos Message-ID: <20110313204054.GA5392@server.vk2pj.dyndns.org> References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> <1299798547.20831.59.camel@w500.local> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline In-Reply-To: <1299798547.20831.59.camel@w500.local> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Mar 2011 22:07:30 -0000 --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2011-Mar-10 23:09:07 +0000, Miguel Lopes Santos Ramos wrote: >- The objection on S/KEY on that wiki page, that it's possible to >compute all previous passwords, is a bit odd, since past passwords won't >be used anymore. One weakness of S/KEY and OPIE is that if an attacker finds the password (response) for sequence N then they can trivially determine the response for any sequence > N. This could occur if (eg) you have a printout of OPIE keys and are just crossing them off (which was a common recommendation prior to smart phones etc) - an attacker just needs to memorise the lowest N and response. --=20 Peter Jeremy --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) iEYEARECAAYFAk19K9YACgkQ/opHv/APuIcnugCfYPfTapafPzGfhZJGD5eP/Otu k5kAmwWfDI481VUuKfo6LDXin3YsgLF8 =Fo0q -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT--