Date: Tue, 9 Jul 2002 16:33:15 -0700 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG> Cc: Dag-Erling Smorgrav <des@ofug.org>, "Andrey A. Chernov" <ache@nagual.pp.ru>, current@FreeBSD.ORG Subject: Re: PasswordAuthentication not works in sshd Message-ID: <20020709233315.GA541@HAL9000.wox.org> In-Reply-To: <15659.4976.851650.646333@horsey.gshapiro.net> References: <20020702114530.GB837@nagual.pp.ru> <xzpn0tacp9c.fsf@flood.ping.uio.no> <20020709124943.GA15259@nagual.pp.ru> <xzphej9jb3i.fsf@flood.ping.uio.no> <20020709133611.GA17322@nagual.pp.ru> <xzpd6txj93r.fsf@flood.ping.uio.no> <15659.4976.851650.646333@horsey.gshapiro.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>: > Interestingly enough, pam_opieaccess doesn't help at all in this > situation. The remote user is still prompted for their plain text > password, it just isn't accepted. However, the damage is already done -- a > compromised ssh client would have already recorded the password typed in. > > For opie_access to be of any use, it would have to print a warning telling > users not to type in their plain text password and cause ssh not to ask for > that password after the OTP queries fail (effectively, disable password as > one of the authentication techniques early on). A compromised SSH client would probably ask for the real password anyway, but I suppose it would be a tip-off if all the real SSH clients only asked for OTPs. OPIE helps if someone is sniffing your terminal, but it's practically useless if you assume that the SSH client is compromised. SSH connections can be multiplexed, so I imagine it would be easy to transparently hijack an authenticated session. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020709233315.GA541>