From owner-freebsd-current Tue Jul 9 16:33:28 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC29E37B400; Tue, 9 Jul 2002 16:33:25 -0700 (PDT) Received: from HAL9000.wox.org (12-233-156-170.client.attbi.com [12.233.156.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id F19FE43E54; Tue, 9 Jul 2002 16:33:24 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.wox.org (localhost [127.0.0.1]) by HAL9000.wox.org (8.12.3/8.12.3) with ESMTP id g69NXcH7000799; Tue, 9 Jul 2002 16:33:39 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.wox.org (8.12.3/8.12.3/Submit) id g69NXLnN000798; Tue, 9 Jul 2002 16:33:21 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Tue, 9 Jul 2002 16:33:15 -0700 From: David Schultz To: Gregory Neil Shapiro Cc: Dag-Erling Smorgrav , "Andrey A. Chernov" , current@FreeBSD.ORG Subject: Re: PasswordAuthentication not works in sshd Message-ID: <20020709233315.GA541@HAL9000.wox.org> Mail-Followup-To: Gregory Neil Shapiro , Dag-Erling Smorgrav , "Andrey A. Chernov" , current@FreeBSD.ORG References: <20020702114530.GB837@nagual.pp.ru> <20020709124943.GA15259@nagual.pp.ru> <20020709133611.GA17322@nagual.pp.ru> <15659.4976.851650.646333@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <15659.4976.851650.646333@horsey.gshapiro.net> Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thus spake Gregory Neil Shapiro : > Interestingly enough, pam_opieaccess doesn't help at all in this > situation. The remote user is still prompted for their plain text > password, it just isn't accepted. However, the damage is already done -- a > compromised ssh client would have already recorded the password typed in. > > For opie_access to be of any use, it would have to print a warning telling > users not to type in their plain text password and cause ssh not to ask for > that password after the OTP queries fail (effectively, disable password as > one of the authentication techniques early on). A compromised SSH client would probably ask for the real password anyway, but I suppose it would be a tip-off if all the real SSH clients only asked for OTPs. OPIE helps if someone is sniffing your terminal, but it's practically useless if you assume that the SSH client is compromised. SSH connections can be multiplexed, so I imagine it would be easy to transparently hijack an authenticated session. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message