Date: Wed, 03 Feb 2010 23:27:57 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore Message-ID: <86ljfac5ua.fsf@ds4.des.no> In-Reply-To: <201002031814.o13IEYqk081411@apollo.backplane.com> (Matthew Dillon's message of "Wed, 3 Feb 2010 10:14:34 -0800 (PST)") References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> <86ock95bls.fsf@ds4.des.no> <201002011824.o11IOxjQ045906@apollo.backplane.com> <86y6jacyxb.fsf@ds4.des.no> <201002031814.o13IEYqk081411@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Dillon <dillon@apollo.backplane.com> writes: > The vast majority of BSD users don't need PAMs capabilities when it > comes to ssh. You clearly don't understand what PAM does. > And if you are really going to insist on changing the option around > the least you could have done was uncomment the related options and > set them to a definitive 'no' value (that would be ChallengeResponse > at the very least) when you made the other changes. You clearly don't understand what the ChallengeResponse option does. > In anycase, I think Mr Barton's posting was excellent. We already > ship with PasswordAuthentication set to 'no' and, of course, PAM is > disabled by default, but I am going to make further adjustments to > our sshd_config based on Doug's suggestions plus I will also > uncomment ChallengeResponseAuthentication and set that to 'no' too > as a further safety measure. ...leaving your users with no other option than keys. No OPIE, no Radius, no nothing - just keys. You do realize that users have the option to store their keys unencrypted, and there is nothing you can do on the server side do to prevent them? That's even *less* secure than passwords. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86ljfac5ua.fsf>