From owner-freebsd-security@freebsd.org Wed Jun 19 02:05:15 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0404415CF00A for ; Wed, 19 Jun 2019 02:05:15 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0FC916FEFB for ; Wed, 19 Jun 2019 02:05:13 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=snUvWgJEVdp2BhtLJsMnZJcHTXibTG4w6qF1DxuvW1I=; b=YcIGBpc5ru0pl5CZo9pnIm2JHX sCir0MJ2HAwr+VRBhCKiV0LA5gUsa4n3xJCbhMvSn8vvnbrMFkllz2k95YvkXhvIsVnhQzvisSXs9 yN6chR70lQxyAUEHtDqlTKrxeU5t9gWjeZIR7eSVffjJs7npdjIEgEf0cxzTqvdVqMHI=; Received: from vas by admin.sibptus.ru with local (Exim 4.92 (FreeBSD)) (envelope-from ) id 1hdPyK-000GtG-Te for freebsd-security@freebsd.org; Wed, 19 Jun 2019 09:05:12 +0700 Date: Wed, 19 Jun 2019 09:05:12 +0700 From: Victor Sudakov To: freebsd-security@freebsd.org Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator Message-ID: <20190619020512.GA64608@admin.sibptus.ru> References: <20190618075954.GA30296@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.0 (2019-05-25) Sender: Victor Sudakov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 02:05:15 -0000 --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Robert Simmons wrote: >=20 > To throw a new wrinkle in the equation: Google Authenticator codes can be > intercepted by a phishing page.=20 In my case, no page is involved, just the FreeOTP app on my Android phone (which is less convenient than a sheet of paper with OPIE passwords, but I can live with that). > U2F protocol is even better, and can't be > intercepted via phishing. >=20 > There are U2F libraries in ports. >=20 > https://en.wikipedia.org/wiki/Universal_2nd_Factor U2F (and Yubikey) require purchase of hardware devices. In this sense, they are not replacements for OPIE, which is a pure software solution.=20 Back to my original question. 1. Is it safe to keep OPIE in the base system? Its upstream project is gone. It is not IPv6 ready. It uses MD5. 2. If OPIE is not safe anymore, which is a good software replacement?=20 --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJdCZhYAAoJEA2k8lmbXsY0YtgH/3W6x6I99qbATT/cNMtd+KGq fyOHglgWJn73720MpidV6cZbTwHMhAaRISFxXRAT2VAqN/zwvrgS1rRVVgTJR7Ob NxrrzgA25YG1NbhEMdltGqSOk8oca8TRK0SY54tk3cs2YGL5Msf/Fhssbmj2iQbM evavbdBwY7DJxOojdzvOYo56sa5DYwjax9ngwHtcwJp/24f5rEgbyoGP60/mrEsn ko3UPS0P3jK7ujo9/5OtIovyjh1vCY45abb7SQ/KarrOV7VfNTJy1ISnSiPYVXWT 4mpSsfq4AOTUxnxjgzg/DN70HT6sW4QiJsL3yFvLMGFUah3ICiKnYOeMODsLqNU= =q8wU -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS--