Date: Sun, 16 Oct 2022 13:51:37 -0400 From: grarpamp <grarpamp@gmail.com> To: freebsd-security@freebsd.org Cc: freebsd-hackers@freebsd.org, freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-questions@freebsd.org, des@des.no Subject: Re: Putting OPIE to rest Message-ID: <CAD2Ti2_GbNmxKN8k9zVb9RsNQbOEatW92r=BgpTz%2B=8GHKiWZA@mail.gmail.com> In-Reply-To: <86czbwryx0.fsf@ltc.des.no> References: <86h718sqdx.fsf@ltc.des.no> <CAD2Ti2_AQCFJRWiwErEdn1hY0Qms0=znTx3T_CjDQ4kvoKG2OQ@mail.gmail.com> <86czbwryx0.fsf@ltc.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/15/22, Dag-Erling Sm=C3=B8rgrav <des@des.no> wrote: > Neither HOTP nor TOTP require dedicated devices. > HOTP codes are sequential and can be pre-generated... Those aren't really their intended or advertised usage models, nor do common implementations support those modes. Is FreeBSD contributing and supplying ones that do? OPIE's model already intends for and supports no-device and printout. To emphasize and extend... https://lists.freebsd.org/archives/freebsd-current/2022-September/002573.ht= ml It should also be noted that the affected scope here is not just 'FreeBSD u= sers logging into FreeBSD shell', there are also applications out there that com= pile against and use FreeBSD's libopie, some of which are in ports some are not. OPIE does not exist as a port+package, thus re POLA for users, it should not be removed until such time as one is provided. Where is discussion on these. And why isn't every other 'old, outlived, non-hipster' pam authentication plugin being arbitrarily removed and non-portified, such as say tacacs, radius, krb, rhosts, etc. And if those pam are there, why then are hip OAUTH HOTP TOTP etc type thing= s not added, lib-ified, etc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD2Ti2_GbNmxKN8k9zVb9RsNQbOEatW92r=BgpTz%2B=8GHKiWZA>