Date: Tue, 18 Jun 2019 09:07:28 -0400 From: Dan Langille <dan@langille.org> To: Robert Simmons <rsimmons0@gmail.com> Cc: Victor Sudakov <vas@mpeks.tomsk.su>, freebsd-security@freebsd.org Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator Message-ID: <DD73534E-084A-44A7-83D1-60661C64A8A4@langille.org> In-Reply-To: <CA%2BQLa9AkOwM14nxgXmmiH8TFewaT6HGjq7vzRQ5u4YNFNh-W-w@mail.gmail.com> References: <20190618075954.GA30296@admin.sibptus.ru> <CA%2BQLa9AkOwM14nxgXmmiH8TFewaT6HGjq7vzRQ5u4YNFNh-W-w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jun 18, 2019, at 9:02 AM, Robert Simmons <rsimmons0@gmail.com> = wrote: >=20 > On Tue, Jun 18, 2019, 04:01 Victor Sudakov <vas@mpeks.tomsk.su> wrote: >=20 >> Dear Colleagues, >>=20 >> I've used OPIE for many years (and S/Key before that) to login to my >> system from untrusted terminals (cafes, libraries etc). >>=20 >> Now I've read an opinion that OPIE is outdated (and indeed its = upstream >> distribution is gone) and that pam_google_authenticator would be more >> secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237270 >>=20 >> Is that truly so? With 20 words in OPIE and only 6 digits in >> pam_google_authenticator, how strong is pam_google_authenticator = against >> brute force and other attacks? > Victor, >=20 > To throw a new wrinkle in the equation: Google Authenticator codes can = be > intercepted by a phishing page. U2F protocol is even better, and can't = be > intercepted via phishing. >=20 > There are U2F libraries in ports. >=20 > https://en.wikipedia.org/wiki/Universal_2nd_Factor >=20 > Cheers, > Rob >=20 If my Google Authenticator codes are on my phone, and I'm entering them = into my ssh session, how is a phishing page involved? =E2=80=94=20 Dan Langille http://langille <http://langille/>.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DD73534E-084A-44A7-83D1-60661C64A8A4>