From owner-freebsd-security@FreeBSD.ORG Wed Feb 3 22:27:58 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1680106566B for ; Wed, 3 Feb 2010 22:27:58 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 7F7AA8FC08 for ; Wed, 3 Feb 2010 22:27:58 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 87E0B1FFC51; Wed, 3 Feb 2010 22:27:57 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 59BE1844A0; Wed, 3 Feb 2010 23:27:57 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Matthew Dillon References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> <86ock95bls.fsf@ds4.des.no> <201002011824.o11IOxjQ045906@apollo.backplane.com> <86y6jacyxb.fsf@ds4.des.no> <201002031814.o13IEYqk081411@apollo.backplane.com> Date: Wed, 03 Feb 2010 23:27:57 +0100 In-Reply-To: <201002031814.o13IEYqk081411@apollo.backplane.com> (Matthew Dillon's message of "Wed, 3 Feb 2010 10:14:34 -0800 (PST)") Message-ID: <86ljfac5ua.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Feb 2010 22:27:58 -0000 Matthew Dillon writes: > The vast majority of BSD users don't need PAMs capabilities when it > comes to ssh. You clearly don't understand what PAM does. > And if you are really going to insist on changing the option around > the least you could have done was uncomment the related options and > set them to a definitive 'no' value (that would be ChallengeResponse > at the very least) when you made the other changes. You clearly don't understand what the ChallengeResponse option does. > In anycase, I think Mr Barton's posting was excellent. We already > ship with PasswordAuthentication set to 'no' and, of course, PAM is > disabled by default, but I am going to make further adjustments to > our sshd_config based on Doug's suggestions plus I will also > uncomment ChallengeResponseAuthentication and set that to 'no' too > as a further safety measure. ...leaving your users with no other option than keys. No OPIE, no Radius, no nothing - just keys. You do realize that users have the option to store their keys unencrypted, and there is nothing you can do on the server side do to prevent them? That's even *less* secure than passwords. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no