Re: OTP (opie) and ssh
On Mon, Sep 18, 2000 at 09:18:05PM -0300, Henrique M Holschuh wrote: > Yeah, those do solve the worst problem with OPIE. There's nothing wrong with > OTPs when properly designed (i.e.: no sheets of paper ;-) ), but since the > original poster was talking about OPIE... Using OPIE doesn't mean you have to carry around "sheets of paper." OPIE is perfectly capable of authenticating against OTPs generated by any S/Key-compatible generator. So.. re-focusing on trying to solve his problem would be a big help to him as well as everyone else. ;) Anyway regarding OPIE usage with OpenSSH, it supports S/Key auth natively but AFAICT the reason OPIE doesn't work correctly has something to do with ssh and/or PAM not being able to print the challenge correctly. I really don't know the whole story, but I was trying to figure a way to get OPIE working with OpenSSH myself and saw something to this effect on the portable OpenSSH development list archive. Seems to me the correct way to support OPIE MAY be to petition the developers to include it. In fact, there is a patch already floating around that does this (seen on the aforementioned list archive), though it was for an older version of OpenSSH so I haven't tried it. Note that I am using a self-compiled installation; that patch may be appropriate for the Debian-provided version... check to see.
Re: OTP (opie) and ssh
On Mon, 18 Sep 2000, Thorsten Sideb0ard wrote: > By a one time password system i am not referring to carrying round a sheet > of paper, but rather something like the SecureID system, or some kind of > automated otp generator, and i belive there is a good one for the Palm > platform also. Yeah, those do solve the worst problem with OPIE. There's nothing wrong with OTPs when properly designed (i.e.: no sheets of paper ;-) ), but since the original poster was talking about OPIE... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh pgpkaBdUrZqdc.pgp Description: PGP signature
Re: OTP (opie) and ssh
By a one time password system i am not referring to carrying round a sheet of paper, but rather something like the SecureID system, or some kind of automated otp generator, and i belive there is a good one for the Palm platform also. thor On Mon, 18 Sep 2000, Henrique M Holschuh wrote: > > I can see the point, > > because a would be intruder could look over the shoulder of an authorised > > user, or someone with more priveleges than himself, and watch his password > > being entered. Then it doesnt matter whether the session is encrypted > > because the intruder knows the password. > > > > the more security the better, as far as i am concerned. > > Yes. One should use OPIE when he knows the connection is being eavesdropped > at his end and accepts the fact that carrying around a printed sheet of > paper with a few OTP-generated passwords is safer (or you could program your > PDA, HP49, whatever to generate OTP passwords for you, I suppose) than > typing a constant password for the eavesdropper to grab. > > Otherwise OPIE is (usually) a security risk, as those sheets of paper are > NOT a good thing in the hands of just about 99% of the people out there. > There are better protocols out there to avoid plain passwords on the wire, > and ssh is one of them. > > I have to use OPIE from work, however the "helpdesk" m***ns force us to have > PCanywhere and other such crap installed in our machines. I am not about to > let them have my passwords THAT easily if I happen to need to ssh out of > M$Winblows to a Real Machine(tm) to get some work done :-) > > -- > "One disk to rule them all, One disk to find them. One disk to bring > them all and in the darkness grind them. In the Land of Redmond > where the shadows lie." -- The Silicon Valley Tarot > Henrique Holschuh >
Re: OTP (opie) and ssh
> I can see the point, > because a would be intruder could look over the shoulder of an authorised > user, or someone with more priveleges than himself, and watch his password > being entered. Then it doesnt matter whether the session is encrypted > because the intruder knows the password. > > the more security the better, as far as i am concerned. Yes. One should use OPIE when he knows the connection is being eavesdropped at his end and accepts the fact that carrying around a printed sheet of paper with a few OTP-generated passwords is safer (or you could program your PDA, HP49, whatever to generate OTP passwords for you, I suppose) than typing a constant password for the eavesdropper to grab. Otherwise OPIE is (usually) a security risk, as those sheets of paper are NOT a good thing in the hands of just about 99% of the people out there. There are better protocols out there to avoid plain passwords on the wire, and ssh is one of them. I have to use OPIE from work, however the "helpdesk" m***ns force us to have PCanywhere and other such crap installed in our machines. I am not about to let them have my passwords THAT easily if I happen to need to ssh out of M$Winblows to a Real Machine(tm) to get some work done :-) -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh pgpLrNqIf1oK9.pgp Description: PGP signature
Re: OTP (opie) and ssh
I can see the point, because a would be intruder could look over the shoulder of an authorised user, or someone with more priveleges than himself, and watch his password being entered. Then it doesnt matter whether the session is encrypted because the intruder knows the password. the more security the better, as far as i am concerned. -thorsten sideb0ard network/systems engineer On Mon, 18 Sep 2000, Carlos Carvalho wrote: > Peter Palfrader ([EMAIL PROTECTED]) wrote on 19 September 2000 00:04: > >I just set up libpam-opie and it works quite well from the console as > >well as with ssh. Unfortunatly it does not show wich OTPasswd it expects > >with ssh login but this is another story. > > I don't see the point of using ssh with otp. They are different > methods to achieve the same goal, and are redundant. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: OTP (opie) and ssh
Peter Palfrader ([EMAIL PROTECTED]) wrote on 19 September 2000 00:04: >I just set up libpam-opie and it works quite well from the console as >well as with ssh. Unfortunatly it does not show wich OTPasswd it expects >with ssh login but this is another story. I don't see the point of using ssh with otp. They are different methods to achieve the same goal, and are redundant.
playing with traffic shaper
hi there, i'm setting up a small Lan with some friends of mine . i would like to give them to capability of going through my gw-adsl ( a linux machine ) but not to fill up all my bandwith . so i'm trying traffic shaper but i have some problem to understand how it really work. e.g. my gw is 192.168.0.1 my frineds are in the 192.168.0.0/24 net i would like that they can access to my gw ( nfs server ) with maximun throughput of our eths but everything that is outside me ( e.g. INTERNET but squid on my gw too ) must go til a max 24 kbps . any suggestion ? i'm also reading Advanced-Routing HOWTO with tc that seems to help me but i would like to know how to do this with traffic shaping . many thanks samuele -- Samuele Tonon <[EMAIL PROTECTED]> Undergraduate Student of Computer Science at University of Bologna, Italy System administrator at Computer Science Lab's, University of Bologna, Italy Founder & Member of A.A.H.T. UIN 3155609 Acid -- better living through chemistry. Timothy Leary
Re: OTP (opie) and ssh
On Mon, Sep 18, 2000 at 09:18:05PM -0300, Henrique M Holschuh wrote: > Yeah, those do solve the worst problem with OPIE. There's nothing wrong with > OTPs when properly designed (i.e.: no sheets of paper ;-) ), but since the > original poster was talking about OPIE... Using OPIE doesn't mean you have to carry around "sheets of paper." OPIE is perfectly capable of authenticating against OTPs generated by any S/Key-compatible generator. So.. re-focusing on trying to solve his problem would be a big help to him as well as everyone else. ;) Anyway regarding OPIE usage with OpenSSH, it supports S/Key auth natively but AFAICT the reason OPIE doesn't work correctly has something to do with ssh and/or PAM not being able to print the challenge correctly. I really don't know the whole story, but I was trying to figure a way to get OPIE working with OpenSSH myself and saw something to this effect on the portable OpenSSH development list archive. Seems to me the correct way to support OPIE MAY be to petition the developers to include it. In fact, there is a patch already floating around that does this (seen on the aforementioned list archive), though it was for an older version of OpenSSH so I haven't tried it. Note that I am using a self-compiled installation; that patch may be appropriate for the Debian-provided version... check to see. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OTP (opie) and ssh
On Mon, 18 Sep 2000, Thorsten Sideb0ard wrote: > By a one time password system i am not referring to carrying round a sheet > of paper, but rather something like the SecureID system, or some kind of > automated otp generator, and i belive there is a good one for the Palm > platform also. Yeah, those do solve the worst problem with OPIE. There's nothing wrong with OTPs when properly designed (i.e.: no sheets of paper ;-) ), but since the original poster was talking about OPIE... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh PGP signature
OTP (opie) and ssh
Hi, I just set up libpam-opie and it works quite well from the console as well as with ssh. Unfortunatly it does not show wich OTPasswd it expects with ssh login but this is another story. In order to get it working I had to change /etc/pam.d/ssh from: | auth required pam_nologin.so | auth required pam_unix.so | auth required pam_env.so # [1] to | auth required pam_nologin.so | auth required pam_env.so # [1] | auth sufficient pam_unix.so | auth sufficient pam_opie.so | auth required pam_deny.so Note that I moved pam_env up before unix and opie so that it always is required. I also added pam_deny as shown in README.Debian as the final catch rule and set unix and opie to sufficient. Did I just open a big root shell on port 22 saying in big flashing yellow letters 'USE ME', or is everything ok? Any suggestions what I might/should change? TIA yours, peter -- PGP encrypted messages preferred. http://www.cosy.sbg.ac.at/~ppalfrad/ [please CC me on lists] pgpfuJ6moKciU.pgp Description: PGP signature
Re: OTP (opie) and ssh
By a one time password system i am not referring to carrying round a sheet of paper, but rather something like the SecureID system, or some kind of automated otp generator, and i belive there is a good one for the Palm platform also. thor On Mon, 18 Sep 2000, Henrique M Holschuh wrote: > > I can see the point, > > because a would be intruder could look over the shoulder of an authorised > > user, or someone with more priveleges than himself, and watch his password > > being entered. Then it doesnt matter whether the session is encrypted > > because the intruder knows the password. > > > > the more security the better, as far as i am concerned. > > Yes. One should use OPIE when he knows the connection is being eavesdropped > at his end and accepts the fact that carrying around a printed sheet of > paper with a few OTP-generated passwords is safer (or you could program your > PDA, HP49, whatever to generate OTP passwords for you, I suppose) than > typing a constant password for the eavesdropper to grab. > > Otherwise OPIE is (usually) a security risk, as those sheets of paper are > NOT a good thing in the hands of just about 99% of the people out there. > There are better protocols out there to avoid plain passwords on the wire, > and ssh is one of them. > > I have to use OPIE from work, however the "helpdesk" m***ns force us to have > PCanywhere and other such crap installed in our machines. I am not about to > let them have my passwords THAT easily if I happen to need to ssh out of > M$Winblows to a Real Machine(tm) to get some work done :-) > > -- > "One disk to rule them all, One disk to find them. One disk to bring > them all and in the darkness grind them. In the Land of Redmond > where the shadows lie." -- The Silicon Valley Tarot > Henrique Holschuh > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OTP (opie) and ssh
> I can see the point, > because a would be intruder could look over the shoulder of an authorised > user, or someone with more priveleges than himself, and watch his password > being entered. Then it doesnt matter whether the session is encrypted > because the intruder knows the password. > > the more security the better, as far as i am concerned. Yes. One should use OPIE when he knows the connection is being eavesdropped at his end and accepts the fact that carrying around a printed sheet of paper with a few OTP-generated passwords is safer (or you could program your PDA, HP49, whatever to generate OTP passwords for you, I suppose) than typing a constant password for the eavesdropper to grab. Otherwise OPIE is (usually) a security risk, as those sheets of paper are NOT a good thing in the hands of just about 99% of the people out there. There are better protocols out there to avoid plain passwords on the wire, and ssh is one of them. I have to use OPIE from work, however the "helpdesk" m***ns force us to have PCanywhere and other such crap installed in our machines. I am not about to let them have my passwords THAT easily if I happen to need to ssh out of M$Winblows to a Real Machine(tm) to get some work done :-) -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh PGP signature
Re: OTP (opie) and ssh
I can see the point, because a would be intruder could look over the shoulder of an authorised user, or someone with more priveleges than himself, and watch his password being entered. Then it doesnt matter whether the session is encrypted because the intruder knows the password. the more security the better, as far as i am concerned. -thorsten sideb0ard network/systems engineer On Mon, 18 Sep 2000, Carlos Carvalho wrote: > Peter Palfrader ([EMAIL PROTECTED]) wrote on 19 September 2000 00:04: > >I just set up libpam-opie and it works quite well from the console as > >well as with ssh. Unfortunatly it does not show wich OTPasswd it expects > >with ssh login but this is another story. > > I don't see the point of using ssh with otp. They are different > methods to achieve the same goal, and are redundant. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OTP (opie) and ssh
Peter Palfrader ([EMAIL PROTECTED]) wrote on 19 September 2000 00:04: >I just set up libpam-opie and it works quite well from the console as >well as with ssh. Unfortunatly it does not show wich OTPasswd it expects >with ssh login but this is another story. I don't see the point of using ssh with otp. They are different methods to achieve the same goal, and are redundant. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
playing with traffic shaper
hi there, i'm setting up a small Lan with some friends of mine . i would like to give them to capability of going through my gw-adsl ( a linux machine ) but not to fill up all my bandwith . so i'm trying traffic shaper but i have some problem to understand how it really work. e.g. my gw is 192.168.0.1 my frineds are in the 192.168.0.0/24 net i would like that they can access to my gw ( nfs server ) with maximun throughput of our eths but everything that is outside me ( e.g. INTERNET but squid on my gw too ) must go til a max 24 kbps . any suggestion ? i'm also reading Advanced-Routing HOWTO with tc that seems to help me but i would like to know how to do this with traffic shaping . many thanks samuele -- Samuele Tonon <[EMAIL PROTECTED]> Undergraduate Student of Computer Science at University of Bologna, Italy System administrator at Computer Science Lab's, University of Bologna, Italy Founder & Member of A.A.H.T. UIN 3155609 Acid -- better living through chemistry. Timothy Leary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
OTP (opie) and ssh
Hi, I just set up libpam-opie and it works quite well from the console as well as with ssh. Unfortunatly it does not show wich OTPasswd it expects with ssh login but this is another story. In order to get it working I had to change /etc/pam.d/ssh from: | auth required pam_nologin.so | auth required pam_unix.so | auth required pam_env.so # [1] to | auth required pam_nologin.so | auth required pam_env.so # [1] | auth sufficient pam_unix.so | auth sufficient pam_opie.so | auth required pam_deny.so Note that I moved pam_env up before unix and opie so that it always is required. I also added pam_deny as shown in README.Debian as the final catch rule and set unix and opie to sufficient. Did I just open a big root shell on port 22 saying in big flashing yellow letters 'USE ME', or is everything ok? Any suggestions what I might/should change? TIA yours, peter -- PGP encrypted messages preferred. http://www.cosy.sbg.ac.at/~ppalfrad/ [please CC me on lists] PGP signature
Buffer exploit on gopherd
I have just read this on xforce.iss.net (http://xforce.iss.net/static/5102.php). It seems that there is a buffer overflow condition on the halidate function that a remote attacker could exploit. I am unable (yet) to check the sources and see if Debian is vulnerable, but Debian's version is 2.3.1-2, which makes it possible. Regards Javier Fernández-Sanguino Peña Debian GNU/Linux developerbegin:vcard n:Fernández-Sanguino Peña;Javier tel;fax:+34-91 806 46 41 tel;work:+34-918064432 x-mozilla-html:FALSE org:SGI-GMV sistemas;Seguridad Lógica adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain version:2.1 email;internet:[EMAIL PROTECTED] x-mozilla-cpt:;32352 fn:Javier Fernández-Sanguino Peña end:vcard
Buffer exploit on gopherd
I have just read this on xforce.iss.net (http://xforce.iss.net/static/5102.php). It seems that there is a buffer overflow condition on the halidate function that a remote attacker could exploit. I am unable (yet) to check the sources and see if Debian is vulnerable, but Debian's version is 2.3.1-2, which makes it possible. Regards Javier Fernández-Sanguino Peña Debian GNU/Linux developer begin:vcard n:Fernández-Sanguino Peña;Javier tel;fax:+34-91 806 46 41 tel;work:+34-918064432 x-mozilla-html:FALSE org:SGI-GMV sistemas;Seguridad Lógica adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain version:2.1 email;internet:[EMAIL PROTECTED] x-mozilla-cpt:;32352 fn:Javier Fernández-Sanguino Peña end:vcard