From owner-freebsd-security@freebsd.org  Tue Jun 18 13:07:39 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D697D15BB4AA
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue, 18 Jun 2019 13:07:38 +0000 (UTC)
 (envelope-from dan@langille.org)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com
 [66.111.4.29])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A8734741E9
 for <freebsd-security@freebsd.org>; Tue, 18 Jun 2019 13:07:36 +0000 (UTC)
 (envelope-from dan@langille.org)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id AE5E4221FD;
 Tue, 18 Jun 2019 09:07:30 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Tue, 18 Jun 2019 09:07:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h=
 from:message-id:content-type:mime-version:subject:date
 :in-reply-to:cc:to:references; s=fm1; bh=8B2BEYj2EIF/bSA8PDmcRLF
 yYFu5iwpAWYytZMvqPo8=; b=RoCphoqeL1H3cR7B7NV7jl10IvYQIpkfYrD2rRO
 JruP9gVhjePv5ukYuCBah0z/W3wf4X/TfG3HkhrRPEnjRphCZ7YpFHKxH0gzkrkr
 pL7ZvYiYUFRBWV973d8u2zJ+Lhoww4+UU5HN5FsfyJBCQ54Kl9Ayhqu4ialYmYRe
 SFqxaWXqKxK+QbPFOqd00z1AGkijdyGaOxAtXv7EAL1uWZ1Hb5d7lWTVSVLexcN0
 cA3MfkhWpekS4i9ycgRb4L73uxs063iL3woljXZ84l6qZkoRdjGdXkY0fpEnJ/y7
 BARowkKpjiaerzUzZN0bKoeJk01/9owc0go32MitswtCG+g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=8B2BEY
 j2EIF/bSA8PDmcRLFyYFu5iwpAWYytZMvqPo8=; b=wA1KoTVa4UWPbs9Ss5/H9l
 kfyjxi5SFPRgKuRq+923Xu9HIQfGwp0pJEFcv+JPcXnKZcOSjxOqXdmrulIDoePl
 EawUeFcJIDpfZ+yawPSJoxrwLHOFNflL/Nwsp49PApZBU7rJjleJ/ZT7j4F27wiG
 EGe9CdFJYDZGn0tRVnioFvGXDrskH4z+DJPQMzeUNfyvmnUpt43p0Bv/EsXvw9Bt
 FTEPOZPuV69+JL9gOIcEZ7tNoHxT7OsulzgwwOn9sEdFicw4itiv2cFE4wfyzbCi
 MRHvLR5qug7B2zgp8esV60Ew97jhtzAsODv9nCWIbAL32R4dbiwFL3UVJaaxKlng
 ==
X-ME-Sender: <xms:EuIIXQGSAMHdHT0xbnAxXI-inYHRCtLfLk9nZOAeHWPt-VbRc76-mA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrtddtgddvlecutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfg
 hrlhcuvffnffculdeimdenucfjughrpefhkfgtggfuffgjvfhfofesrgdtmherhhdtjeen
 ucfhrhhomhepffgrnhcunfgrnhhgihhllhgvuceouggrnheslhgrnhhgihhllhgvrdhorh
 hgqeenucffohhmrghinheplhgrnhhgihhllhgvrdhorhhgpdhfrhgvvggsshgurdhorhhg
 pdifihhkihhpvgguihgrrdhorhhgnecukfhppedutddtrddugedrvddtgedrfeefnecurf
 grrhgrmhepmhgrihhlfhhrohhmpegurghnsehlrghnghhilhhlvgdrohhrghenucevlhhu
 shhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:EuIIXeTF4zTQM_XyBKpyfYwm9US_eTUHtlveA-rzvUomXTkvz2Y57Q>
 <xmx:EuIIXeZJdtCs4EyGhFHSdgYHMybkF_xjuHX6Y1qAsgPPnq0Wtm3UHA>
 <xmx:EuIIXR3Ra66ywZTHBdxfE-z6Ci5wa4tNE8JyUo4N5EiM6oNOTZmkPg>
 <xmx:EuIIXR1tFdv-c-qFMXOe5rtx6Ch0nA3D8ojgwBQQcXIlaBkMgCtHbA>
Received: from pro02.wifi.int.unixathome.org
 (pool-100-14-204-33.phlapa.fios.verizon.net [100.14.204.33])
 by mail.messagingengine.com (Postfix) with ESMTPA id 9EB99380086;
 Tue, 18 Jun 2019 09:07:29 -0400 (EDT)
From: Dan Langille <dan@langille.org>
Message-Id: <DD73534E-084A-44A7-83D1-60661C64A8A4@langille.org>
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator
Date: Tue, 18 Jun 2019 09:07:28 -0400
In-Reply-To: <CA+QLa9AkOwM14nxgXmmiH8TFewaT6HGjq7vzRQ5u4YNFNh-W-w@mail.gmail.com>
Cc: Victor Sudakov <vas@mpeks.tomsk.su>,
 freebsd-security@freebsd.org
To: Robert Simmons <rsimmons0@gmail.com>
References: <20190618075954.GA30296@admin.sibptus.ru>
 <CA+QLa9AkOwM14nxgXmmiH8TFewaT6HGjq7vzRQ5u4YNFNh-W-w@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Rspamd-Queue-Id: A8734741E9
X-Spamd-Bar: -------
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=langille.org header.s=fm1 header.b=RoCphoqe;
 dkim=pass header.d=messagingengine.com header.s=fm3 header.b=wA1KoTVa;
 dmarc=pass (policy=none) header.from=langille.org;
 spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 66.111.4.29
 as permitted sender) smtp.mailfrom=dan@langille.org
X-Spamd-Result: default: False [-7.14 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.29];
 MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[4];
 DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+];
 DMARC_POLICY_ALLOW(-0.50)[langille.org,none];
 MX_GOOD(-0.01)[in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com];
 FREEMAIL_TO(0.00)[gmail.com];
 RECEIVED_SPAMHAUS_PBL(0.00)[33.204.14.100.zen.spamhaus.org : 127.0.0.10];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+];
 ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US];
 RCVD_TLS_LAST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 RCVD_IN_DNSWL_LOW(-0.10)[29.4.111.66.list.dnswl.org : 127.0.5.1];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[langille.org:s=fm1,messagingengine.com:s=fm3];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 NEURAL_HAM_SHORT(-1.00)[-0.998,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 IP_SCORE(-3.53)[ip: (-9.79), ipnet: 66.111.4.0/24(-4.74), asn: 11403(-3.08),
 country: US(-0.06)]; TO_MATCH_ENVRCPT_SOME(0.00)[]
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2019 13:07:39 -0000

> On Jun 18, 2019, at 9:02 AM, Robert Simmons <rsimmons0@gmail.com> =
wrote:
>=20
> On Tue, Jun 18, 2019, 04:01 Victor Sudakov <vas@mpeks.tomsk.su> wrote:
>=20
>> Dear Colleagues,
>>=20
>> I've used OPIE for many years (and S/Key before that) to login to my
>> system from untrusted terminals (cafes, libraries etc).
>>=20
>> Now I've read an opinion that OPIE is outdated (and indeed its =
upstream
>> distribution is gone) and that pam_google_authenticator would be more
>> secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237270
>>=20
>> Is that truly so? With 20 words in OPIE and only 6 digits in
>> pam_google_authenticator, how strong is pam_google_authenticator =
against
>> brute force and other attacks?

> Victor,
>=20
> To throw a new wrinkle in the equation: Google Authenticator codes can =
be
> intercepted by a phishing page. U2F protocol is even better, and can't =
be
> intercepted via phishing.
>=20
> There are U2F libraries in ports.
>=20
> https://en.wikipedia.org/wiki/Universal_2nd_Factor
>=20
> Cheers,
> Rob
>=20


If my Google Authenticator codes are on my phone, and I'm entering them =
into my ssh session, how is a phishing page involved?

=E2=80=94=20
Dan Langille
http://langille <http://langille/>.org/