From nobody Thu Sep 15 23:31:18 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MTD435bDGz4chDq; Thu, 15 Sep 2022 23:31:31 +0000 (UTC) (envelope-from joesuf4@gmail.com) Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MTD423fNdz45TQ; Thu, 15 Sep 2022 23:31:30 +0000 (UTC) (envelope-from joesuf4@gmail.com) Received: by mail-yb1-xb31.google.com with SMTP id y82so30047531yby.6; Thu, 15 Sep 2022 16:31:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=68051deLQQFKhwRlUVi0FAESOL7aVmr8iH4mHpz+VO0=; b=SRq3FjmC26BuzwsF64XuEXY/LpRCaEsA63oYJ/jCxxu2trRIOk75+Y9HnzmVJpHY/3 TzOJWLD/+kEJw9VBqpp7WmqNAWhbt2vQxg0azXVI0FTuGA044P5TwtyL8sYbyoh5WveJ jsCxvx4r7MVkJgyjTB5X6OtX9b5Z9mQYITYW99qcyQuDSB2ElsGRsvZFbSE3TkbW3RSv brm3awZQ8Uk4o17sBMB23avxgmaANoLqbLGomEz28aVxVW3HUOoUAhRMARrv1rUQjNiQ CYgzI5zhHSWcV5ZR3npGY+aAaEINXXPggeVdETF0qUNDLV1oTy0V0jJU1wb3Nh9bKuhh ApXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=68051deLQQFKhwRlUVi0FAESOL7aVmr8iH4mHpz+VO0=; b=PPosX29immUg8d6918T0rZ15BXFsoGecJ/pv4B+GLMn1XiqtMvutIM2qPwoFevbrgy YSQduqh2W+Nhm9yK7O5ppRVGLR6q6bBWM4ntcCUMmOKHx8sx6wzcdhuZEbUmz59gxVoy 15lux+YjuZ54LMW/k/KiAOymjyl1jqpc/F+umrALv72XrZUCQp+awZ1dUNktJju4u48V jlLu3xYzSpBFk1jkcKE8dl8NAu75MFcNrsnH6LkJP754YxXXmNJn6m/wMzHbf7I/pjIg kCOZ+9QO+qNXJISGn0rXNJNQs9obsaogDMRLO1KB8ZWNjyrGGPPGIdNE6Mzm5aD9JyEL WyFw== X-Gm-Message-State: ACrzQf1L037jqdF9zQ3VQSuZdcIIl0P1agPCgyScgiU3BF3n2EWGqaa3 mHNtiQz0E6Fu43oPPKjYqYGVcMi3V9ySASezLao= X-Google-Smtp-Source: AMsMyM6f47azINm3ZLMCK2RH0lgSK0XRb2miNPtz1wz8n4Xxi6+3pF+IKojJxgC1L5zbNoxGzeZqPQZcV1XR1xL7Vzc= X-Received: by 2002:a25:5f42:0:b0:6af:662c:f48f with SMTP id h2-20020a255f42000000b006af662cf48fmr1900225ybm.566.1663284689419; Thu, 15 Sep 2022 16:31:29 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 References: <86h718sqdx.fsf@ltc.des.no> In-Reply-To: From: Joe Schaefer Date: Thu, 15 Sep 2022 19:31:18 -0400 Message-ID: Subject: Re: Putting OPIE to rest To: grarpamp Cc: des@des.no, freebsd-current@freebsd.org, freebsd-hackers@freebsd.org, freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="00000000000012c19505e8bfa5be" X-Rspamd-Queue-Id: 4MTD423fNdz45TQ X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=SRq3FjmC; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of joesuf4@gmail.com designates 2607:f8b0:4864:20::b31 as permitted sender) smtp.mailfrom=joesuf4@gmail.com X-Spamd-Result: default: False [-2.84 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.95)[-0.955]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; NEURAL_SPAM_LONG(0.12)[0.117]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-hackers@freebsd.org,freebsd-security@freebsd.org]; FREEMAIL_TO(0.00)[gmail.com]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b31:from]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FREEMAIL_FROM(0.00)[gmail.com]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N --00000000000012c19505e8bfa5be Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable google-authenticator-libpam works for sudo controls? On Thu, Sep 15, 2022 at 7:01 PM grarpamp wrote: > On 9/15/22, Dag-Erling Sm=C3=B8rgrav wrote: > > I will be removing OPIE from the main branch within the next few days. > > It has long outlived its usefulness. Anyone still using it should look > > into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator). > > https://reviews.freebsd.org/D36592 > > At least so long as PAM remains available, OPIE should be > maintained as a PAM option, and be updated. > > OPIE is the only PAM that allows printing out the future > secure tokens. Old school, secure, it just works. > > HOTP requires hardware, TOTP requires time, > neither are printable, both of those require some other > [hackable] hw/sw device that costs $$$ money, and > those devices all have different threat/failure/admin models > than simple paper. > > If people don't like... > - The hash algo, a volunteer committer can update it to sha256. > - The list of words, a volunteer committer can update it to > read from a list of admin supplied words in: > /etc/opie_words.txt > - The number of words, a volunteer committer can add an > option to the config for that. > - The writeable state breaking in a read-only root, a volunteer > committer can add a config option to point that elsewhere. > - The randomness, a volunteer committer can update it > to modern randomness. > > And if people still don't like it, then commit those simple updates, > and push it out to ports, instead of killing users use of it. > > --00000000000012c19505e8bfa5be Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
google-authenticator-libpam works for sudo controls?

= On Thu, Sep 15, 2022 at 7:01 PM grarpamp <grarpamp@gmail.com> wrote:
On 9/15= /22, Dag-Erling Sm=C3=B8rgrav <des@des.no> wrote:
> I will be removing OPIE from the main branch within the next few days.=
> It has long outlived its usefulness.=C2=A0 Anyone still using it shoul= d look
> into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator).=
> https://reviews.freebsd.org/D36592

At least so long as PAM remains available, OPIE should be
maintained as a PAM option, and be updated.

OPIE is the only PAM that allows printing out the future
secure tokens. Old school, secure, it just works.

HOTP requires hardware, TOTP requires time,
neither are printable, both of those require some other
[hackable] hw/sw device that costs $$$ money, and
those devices all have different threat/failure/admin models
than simple paper.

If people don't like...
- The hash algo, a volunteer committer can update it to sha256.
- The list of words, a volunteer committer can update it to
read from a list of admin supplied words in:
/etc/opie_words.txt
- The number of words, a volunteer committer can add an
option to the config for that.
- The writeable state breaking in a read-only root, a volunteer
committer can add a config option to point that elsewhere.
- The randomness, a volunteer committer can update it
to modern randomness.

And if people still don't like it, then commit those simple updates, and push it out to ports, instead of killing users use of it.

--00000000000012c19505e8bfa5be--