From owner-freebsd-security@FreeBSD.ORG Sun Mar 1 23:46:44 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C8CF0106564A for ; Sun, 1 Mar 2009 23:46:44 +0000 (UTC) (envelope-from healey.rich@itreign.com) Received: from mail.psych0tik.net (115-69-7-62.dyn.comcen.net.au [115.69.7.62]) by mx1.freebsd.org (Postfix) with ESMTP id 2AEF68FC26 for ; Sun, 1 Mar 2009 23:46:38 +0000 (UTC) (envelope-from healey.rich@itreign.com) Received: from XeniaVista (CPE-61-9-142-180.static.vic.bigpond.net.au [61.9.142.180]) by mail.psych0tik.net (Postfix) with ESMTPA id F3C2E15EC12 for ; Mon, 2 Mar 2009 10:28:51 +1100 (EST) From: "Rich Healey" To: References: <200902090957.27318.mail@maxlor.com> <20090209170550.GA60223@hobbes.ustdmz.roe.ch> <20090209134738.G15166@treehorn.dfmm.org> <20090209224806.GB63675@hobbes.ustdmz.roe.ch> <20090211180709.GB1467@server.vk2pj.dyndns.org> In-Reply-To: <20090211180709.GB1467@server.vk2pj.dyndns.org> Date: Mon, 2 Mar 2009 10:28:49 +1100 Message-ID: <006001c99ac5$7ad42c90$707c85b0$@rich@itreign.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcmMc6OP4s289omAQFu0yOF/UqoDZQOUYcfw Content-Language: en-au X-Mailman-Approved-At: Sun, 01 Mar 2009 23:49:29 +0000 Subject: RE: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 23:46:45 -0000 I've been reading this thread with great interest. At present my primary server is ssh keys only, which is all well and good, to login I bounce to a node that allows passwords and then to my server, but this is still not ideal. It just eliminates a very small attach surface. I'm thinking about implementing OPIE, but after reading this I'm not so sure. What's consensus on the best approach to one time logins? -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Peter Jeremy Sent: Thursday, 12 February 2009 5:07 AM To: Lyndon Nerenberg Cc: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure On 2009-Feb-09 15:30:33 -0800, Lyndon Nerenberg wrote: > From what you're describing, I would be more inclined to carry a > bootable OS on that USB stick and reboot into that. Keep in mind that libraries, internet cafes etc aren't going to be keen on you turning up with some (to them) random USB stick and wanting to reboot their pride-and-joy off it. I suspect your choices are to either use OPIE (or some adaption thereof) with ssh on an untrusted computer and assume that anything you type will be logged or carry your own trusted computer and use some form of wireless (3G, NextG etc) to communicate with your systems. Note that using very large sequence numbers should slow down an attacker (though only linerarly) since they still need to iterate MD5 by that many rounds. -- Peter Jeremy