From nobody Sun Oct 16 17:51:37 2022
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mr73c0VYFz4fjSs;
	Sun, 16 Oct 2022 17:51:40 +0000 (UTC)
	(envelope-from grarpamp@gmail.com)
Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Mr73b0kqbz3rGF;
	Sun, 16 Oct 2022 17:51:39 +0000 (UTC)
	(envelope-from grarpamp@gmail.com)
Received: by mail-vs1-xe2d.google.com with SMTP id k6so9525060vsc.8;
        Sun, 16 Oct 2022 10:51:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=sxK6oqqPu5Ol/+0lvQQb486TkPrbd/nR/j3PEc89wpc=;
        b=ZvDB0N1uFEBI+FXd6sTcml7XKWx05YWd1QUthGf647nBWAw31EpdUn5TTNsR2mfVkz
         8GL032D9ObegT8kgwNe/QFGsie9iXzoqgIMlUZGyF7by+zJj0IXaaRgJdrJ6pykaFNsk
         /6beaZjP9hZzRocJ64GM/tHzN9Cov8n6mkBYKzlhjL7HgUvHPty+2uAg3OO0pkTDI2Sh
         7K7bRCuHZN6DqoZ2xtSoeDyDEl2kkaJziUP5BjE31vmh9GHKvX8tJzbYgLNxjkmbWwBE
         LkYtFmMeMo/vOas4XSZ7iyydcqGDN2YqQxG4nlD7Q+TR5W+BXyGfiDuqVYahKJlQVfDj
         I45g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=sxK6oqqPu5Ol/+0lvQQb486TkPrbd/nR/j3PEc89wpc=;
        b=Frmukbhot5iY95kQxoxHBZ7gmsXipc3ijH5yJsZ5nt6mtv4XH764xfO8T3yqTQELJ8
         GpkaBssurU1pW6tOUryxW8FjsLAOJrCm8ystv4n3WHQ/LOCGFpu4B4zeV3IDiahgmc2l
         gRygL9vKlKdbNu3Vq1M/CtyPVpTt4a29jeXyilwe7T9WY5loslX5ycAxuQFf9HfGv75S
         Ns37KlkLFAEZBJGz2qI3Q6xqGfdCuuwxzSSh4cpALcsfkPcGiTRccE4gXYkcdj7ZB2jv
         85VNY+QNojHoQTL07Ekvf5ler/X5cK1vOJZKwmC66Xk/WKJ9bYAdE2LawQ4igWN5n4y+
         T9fQ==
X-Gm-Message-State: ACrzQf38opa/zn4yesMTHk7kFOuBCFKNcC/s7+uELyPdKknq43TszZ3Z
	shBefVMsyfY/NLa5zh4fm4ShAc+e18Wa7eFPhrTwzXyHHkyxH9lu
X-Google-Smtp-Source: AMsMyM7rGNZVK6c6m3A/OtlWqEaMQ+L0yi0iNVkbGmt1/neZ5YDA1Oa+Rr+HMlyhGYkCN65emFoBW35C5WnkPrSVHEw=
X-Received: by 2002:a67:b74a:0:b0:399:4161:9f94 with SMTP id
 l10-20020a67b74a000000b0039941619f94mr2494132vsh.1.1665942698019; Sun, 16 Oct
 2022 10:51:38 -0700 (PDT)
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Received: by 2002:a59:8cd1:0:b0:319:151e:7726 with HTTP; Sun, 16 Oct 2022
 10:51:37 -0700 (PDT)
In-Reply-To: <86czbwryx0.fsf@ltc.des.no>
References: <86h718sqdx.fsf@ltc.des.no> <CAD2Ti2_AQCFJRWiwErEdn1hY0Qms0=znTx3T_CjDQ4kvoKG2OQ@mail.gmail.com>
 <86czbwryx0.fsf@ltc.des.no>
From: grarpamp <grarpamp@gmail.com>
Date: Sun, 16 Oct 2022 13:51:37 -0400
Message-ID: <CAD2Ti2_GbNmxKN8k9zVb9RsNQbOEatW92r=BgpTz+=8GHKiWZA@mail.gmail.com>
Subject: Re: Putting OPIE to rest
To: freebsd-security@freebsd.org
Cc: freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, 
	freebsd-stable@freebsd.org, freebsd-questions@freebsd.org, des@des.no
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 4Mr73b0kqbz3rGF
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=ZvDB0N1u;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e2d as permitted sender) smtp.mailfrom=grarpamp@gmail.com
X-Spamd-Result: default: False [-3.99 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.998];
	NEURAL_HAM_LONG(-0.99)[-0.993];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
	MIME_GOOD(-0.10)[text/plain];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2d:from];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org,freebsd-hackers@freebsd.org,freebsd-current@freebsd.org,freebsd-stable@freebsd.org,freebsd-questions@freebsd.org];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	FROM_EQ_ENVFROM(0.00)[];
	ARC_NA(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	FROM_HAS_DN(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	TO_DN_NONE(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	RCPT_COUNT_FIVE(0.00)[6];
	RCVD_TLS_LAST(0.00)[];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim]
X-ThisMailContainsUnwantedMimeParts: N

On 9/15/22, Dag-Erling Sm=C3=B8rgrav <des@des.no> wrote:
> Neither HOTP nor TOTP require dedicated devices.
> HOTP codes are sequential and can be pre-generated...

Those aren't really their intended or advertised usage models,
nor do common implementations support those modes.
Is FreeBSD contributing and supplying ones that do?
OPIE's model already intends for and supports no-device and printout.

To emphasize and extend...
https://lists.freebsd.org/archives/freebsd-current/2022-September/002573.ht=
ml

It should also be noted that the affected scope here is not just 'FreeBSD u=
sers
logging into FreeBSD shell', there are also applications out there that com=
pile
against and use FreeBSD's libopie, some of which are in ports some are not.

OPIE does not exist as a port+package, thus re POLA for users,
it should not be removed until such time as one is provided.

Where is discussion on these.

And why isn't every other 'old, outlived, non-hipster' pam
authentication plugin being
arbitrarily removed and non-portified, such as say tacacs, radius,
krb, rhosts, etc.
And if those pam are there, why then are hip OAUTH HOTP TOTP etc type thing=
s
not added, lib-ified, etc.