From owner-freebsd-current  Tue Jul  9 16:33:28 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id AC29E37B400; Tue,  9 Jul 2002 16:33:25 -0700 (PDT)
Received: from HAL9000.wox.org (12-233-156-170.client.attbi.com [12.233.156.170])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id F19FE43E54; Tue,  9 Jul 2002 16:33:24 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Received: from HAL9000.wox.org (localhost [127.0.0.1])
	by HAL9000.wox.org (8.12.3/8.12.3) with ESMTP id g69NXcH7000799;
	Tue, 9 Jul 2002 16:33:39 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Received: (from das@localhost)
	by HAL9000.wox.org (8.12.3/8.12.3/Submit) id g69NXLnN000798;
	Tue, 9 Jul 2002 16:33:21 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Date: Tue, 9 Jul 2002 16:33:15 -0700
From: David Schultz <dschultz@uclink.Berkeley.EDU>
To: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>
Cc: Dag-Erling Smorgrav <des@ofug.org>,
	"Andrey A. Chernov" <ache@nagual.pp.ru>, current@FreeBSD.ORG
Subject: Re: PasswordAuthentication not works in sshd
Message-ID: <20020709233315.GA541@HAL9000.wox.org>
Mail-Followup-To: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>,
	Dag-Erling Smorgrav <des@ofug.org>,
	"Andrey A. Chernov" <ache@nagual.pp.ru>, current@FreeBSD.ORG
References: <20020702114530.GB837@nagual.pp.ru> <xzpn0tacp9c.fsf@flood.ping.uio.no> <20020709124943.GA15259@nagual.pp.ru> <xzphej9jb3i.fsf@flood.ping.uio.no> <20020709133611.GA17322@nagual.pp.ru> <xzpd6txj93r.fsf@flood.ping.uio.no> <15659.4976.851650.646333@horsey.gshapiro.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <15659.4976.851650.646333@horsey.gshapiro.net>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

Thus spake Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>:
> Interestingly enough, pam_opieaccess doesn't help at all in this
> situation.  The remote user is still prompted for their plain text
> password, it just isn't accepted.  However, the damage is already done -- a
> compromised ssh client would have already recorded the password typed in.
> 
> For opie_access to be of any use, it would have to print a warning telling
> users not to type in their plain text password and cause ssh not to ask for
> that password after the OTP queries fail (effectively, disable password as
> one of the authentication techniques early on).

A compromised SSH client would probably ask for the real password
anyway, but I suppose it would be a tip-off if all the real SSH
clients only asked for OTPs.  OPIE helps if someone is sniffing
your terminal, but it's practically useless if you assume that the
SSH client is compromised.  SSH connections can be multiplexed, so
I imagine it would be easy to transparently hijack an
authenticated session.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message