Re: OPIE and S/Key authentication
On Mon, Aug 20, 2007 at 09:57:38AM +0400, Stanislav Maslovski wrote: On Sun, Aug 19, 2007 at 10:51:51AM -0700, Russ Allbery wrote: Stanislav Maslovski [EMAIL PROTECTED] writes: What do you say, can MD5-based OPIE system be still considered secure? In the repository there are opie-server and opie-client. Do I understand right that the strength of this system is the strength of one step of MD5? Are there any alternatives where a different hashing function can be choosen (if that is advisable)? The weakness in MD5 is not yet of the type that is likely to compromise OPIE systems, IMO. The attacker still has to have quite a lot of control over what's being compared. Of course, changing to a better hash algorithm is still a good idea. Another thing that bothers me is that OPIE's hash is 64 bits. If the infamous birthday attack applies here than only about 2^32 tries are needed No, I am probably wrong. It does not apply when one sequence (the last password) from a pair of sequences is fixed, right? So, it is full 2^64 space. -- Stanislav -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
OPIE and S/Key authentication
Hello, What do you say, can MD5-based OPIE system be still considered secure? In the repository there are opie-server and opie-client. Do I understand right that the strength of this system is the strength of one step of MD5? Are there any alternatives where a different hashing function can be choosen (if that is advisable)? -- Stanislav -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OPIE and S/Key authentication
Stanislav Maslovski [EMAIL PROTECTED] writes: What do you say, can MD5-based OPIE system be still considered secure? In the repository there are opie-server and opie-client. Do I understand right that the strength of this system is the strength of one step of MD5? Are there any alternatives where a different hashing function can be choosen (if that is advisable)? The weakness in MD5 is not yet of the type that is likely to compromise OPIE systems, IMO. The attacker still has to have quite a lot of control over what's being compared. Of course, changing to a better hash algorithm is still a good idea. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh + opie?
Which opens up a whole 'nother can of security worms...Is anyone maintaining opie or s/key? Or for that matter, can something like this even be worked around? On Thu, 7 Aug 2003 22:55:16 -0700 Mark Ferlatte [EMAIL PROTECTED] wrote: Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: I tried to set this up again recently on another machine, and found that privelege separation breaks this functionality. Does anyone know of a workaround to provide similar functionality? I think you have to turn off PrivSep to make this work. M -- --Brad = Bradley M. Alexander| gTLD SysAdmin, Security Engineer| storm [at] tux.org = Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 = Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. --Rich Cook -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh + opie?
On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote: I have succesfully configued sshd to allow opie logons, without disabling PrivSep, by configuring pam to use the libpam-opie module for ssh. In this case the user gets the normal password prompt though, and no opie information to tell them what password they are upto. Could you post the configuration details? I've tried to do this a couple of times, but wasn't successful unless I disabled privilege separation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ssh + opie?
A long time ago, I had Openssh (circa 2.5-ish) set up to work with opie so that if a user attempted to log in without keys, instead of a pasword prompt, it would give an opie/skey login prompt. I tried to set this up again recently on another machine, and found that privelege separation breaks this functionality. Does anyone know of a workaround to provide similar functionality? Thanks, -- --Brad = Bradley M. Alexander| gTLD SysAdmin, Security Engineer| storm [at] tux.org = Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 = Enforce the gun control laws in place, don't make more. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh + opie?
Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: I tried to set this up again recently on another machine, and found that privelege separation breaks this functionality. Does anyone know of a workaround to provide similar functionality? I think you have to turn off PrivSep to make this work. M pgp0.pgp Description: PGP signature
Re: ssh + opie?
On Thu, Aug 07, 2003 at 10:55:16PM -0700, Mark Ferlatte wrote: Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: I tried to set this up again recently on another machine, and found that privelege separation breaks this functionality. Does anyone know of a workaround to provide similar functionality? I think you have to turn off PrivSep to make this work. M I have succesfully configued sshd to allow opie logons, without disabling PrivSep, by configuring pam to use the libpam-opie module for ssh. In this case the user gets the normal password prompt though, and no opie information to tell them what password they are upto. Geoff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh + opie?
On Fri, Aug 08, 2003 at 11:58:45AM -0500, Greg Norris wrote: On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote: I have succesfully configued sshd to allow opie logons, without disabling PrivSep, by configuring pam to use the libpam-opie module for ssh. In this case the user gets the normal password prompt though, and no opie information to tell them what password they are upto. Could you post the configuration details? I've tried to do this a couple of times, but wasn't successful unless I disabled privilege separation. No worries. In /etc/pam.d/ssh I have: #%PAM-1.0 auth required pam_nologin.so auth required pam_env.so # [1] auth sufficient pam_unix.so auth sufficient pam_opie.so auth required pam_deny.so accountrequired pam_unix.so sessionrequired pam_unix.so sessionoptional pam_lastlog.so # [1] sessionoptional pam_motd.so # [1] sessionoptional pam_mail.so standard noenv # [1] sessionrequired pam_limits.so password required pam_unix.so It is very similar to the original /etc/pam.d/ssh. Note that using this configuration does not change the logon prompt at all. So the user has no clue that they can use an opie password, and no prompt for what the seed of number they are up to is. They are simply prompted for a password (assuming the ssh configuration allows that, and they haven't used a key method for authentication). If they enter their normal password it is accepted. If they enter the current opie password it is accepted. The sshd_config follows: Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 600 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes RhostsAuthentication no IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication yes PAMAuthenticationViaKbdInt no X11Forwarding yes X11DisplayOffset 10 PrintMotd no KeepAlive yes Subsystem sftp/usr/lib/sftp-server The man page says that UsePrivilegeSeparation defaults to yes. So I assume that it is enabled, and that this information might be useful. Cheers, Geoff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ssh + opie?
A long time ago, I had Openssh (circa 2.5-ish) set up to work with opie so that if a user attempted to log in without keys, instead of a pasword prompt, it would give an opie/skey login prompt. I tried to set this up again recently on another machine, and found that privelege separation breaks this functionality. Does anyone know of a workaround to provide similar functionality? Thanks, -- --Brad = Bradley M. Alexander| gTLD SysAdmin, Security Engineer| storm [at] tux.org = Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 = Enforce the gun control laws in place, don't make more.
Re: ssh + opie?
Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: I tried to set this up again recently on another machine, and found that privelege separation breaks this functionality. Does anyone know of a workaround to provide similar functionality? I think you have to turn off PrivSep to make this work. M pgpINpvAJCRYr.pgp Description: PGP signature
Re: ssh + opie?
Which opens up a whole 'nother can of security worms...Is anyone maintaining opie or s/key? Or for that matter, can something like this even be worked around? On Thu, 7 Aug 2003 22:55:16 -0700 Mark Ferlatte [EMAIL PROTECTED] wrote: Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: I tried to set this up again recently on another machine, and found that privelege separation breaks this functionality. Does anyone know of a workaround to provide similar functionality? I think you have to turn off PrivSep to make this work. M -- --Brad = Bradley M. Alexander| gTLD SysAdmin, Security Engineer| storm [at] tux.org = Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 = Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. --Rich Cook
Re: ssh + opie?
On Thu, Aug 07, 2003 at 10:55:16PM -0700, Mark Ferlatte wrote: Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: I tried to set this up again recently on another machine, and found that privelege separation breaks this functionality. Does anyone know of a workaround to provide similar functionality? I think you have to turn off PrivSep to make this work. M I have succesfully configued sshd to allow opie logons, without disabling PrivSep, by configuring pam to use the libpam-opie module for ssh. In this case the user gets the normal password prompt though, and no opie information to tell them what password they are upto. Geoff
Re: ssh + opie?
On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote: I have succesfully configued sshd to allow opie logons, without disabling PrivSep, by configuring pam to use the libpam-opie module for ssh. In this case the user gets the normal password prompt though, and no opie information to tell them what password they are upto. Could you post the configuration details? I've tried to do this a couple of times, but wasn't successful unless I disabled privilege separation.
Re: OPIE
* Quoting Cyrus Dantes ([EMAIL PROTECTED]): I've already installed opie-client and opie-server and already used opiepasswd to generate my OTP keys and such. I have verified my login is in /etc/opiekeys and other such needed items. Now i was wondering how i could make OpenSSH 3.5 accept my OTP passwords. Any ideas on how to make it do this? IIRC you need to disable privilege separation, enable PAMAuthenticationViaKbdInt and change /etc/pam.d/ssh according to /usr/share/doc/libpam-opie/ hth, Rolf -- http://www.stop1984.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
OPIE
I've already installed opie-client and opie-server and already used opiepasswd to generate my OTP keys and such. I have verified my login is in /etc/opiekeys and other such needed items. Now i was wondering how i could make OpenSSH 3.5 accept my OTP passwords. Any ideas on how to make it do this?
Re: OPIE
* Quoting Cyrus Dantes ([EMAIL PROTECTED]): I've already installed opie-client and opie-server and already used opiepasswd to generate my OTP keys and such. I have verified my login is in /etc/opiekeys and other such needed items. Now i was wondering how i could make OpenSSH 3.5 accept my OTP passwords. Any ideas on how to make it do this? IIRC you need to disable privilege separation, enable PAMAuthenticationViaKbdInt and change /etc/pam.d/ssh according to /usr/share/doc/libpam-opie/ hth, Rolf -- http://www.stop1984.com/
opie: configuring server to use particular hash
Hi, I'm trying to get opie-server|libpam-opie to use sha1 instead of md5, but I haven't figured out how to do this on the server end. For the client end, the -s option seems to be what to use w/ opiekey (though this doesn't appear to be in the man pages...). Has anyone figured out how to get this to work? (The man pages in the .debs seem to be a bit dated and I didn't manage to find any other relevant documentation.)
Re: deploying pam-opie?
On Sun, May 19, 2002 at 11:46:10PM -0400, Bradley Alexander wrote: Hey all, I'm trying to get pam-opie working with openssh, but I guess I'm not getting the hang of it. I think I have all of the packages installed: [EMAIL PROTECTED] storm]$ dpkg -l | grep opie ii libpam-opie0.21-7 Use OTP's for PAM authentication ii opie-client2.32-8.1 OPIE programs for generating OTPs on client ii opie-server2.32-8.1 OPIE programs for maintaining an OTP key fil I added (I assume you mean to /etc/pam.d/ssh) password required pam_opie.so password required pam_unix.so but when I log in as a user without a key, I get the standard Password: prompt rather than an opie prompt. The 'password' lines in PAM configuration files are for password changing service. If you want to use pam_opie to authenticate, you want something like this: auth sufficient pam_opie.so auth required pam_unix.so pam_opie is marked sufficient, so that if it succeeds, the system dosen't also try to use unix authentication. Also, make sure that PAMAuthenticationViaKbdInt is enabled in your sshd config file. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B - key change\ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 prev. expiredX / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
deploying pam-opie?
Hey all, I'm trying to get pam-opie working with openssh, but I guess I'm not getting the hang of it. I think I have all of the packages installed: [storm@defiant storm]$ dpkg -l | grep opie ii libpam-opie0.21-7 Use OTP's for PAM authentication ii opie-client2.32-8.1 OPIE programs for generating OTPs on client ii opie-server2.32-8.1 OPIE programs for maintaining an OTP key fil I added password required pam_opie.so password required pam_unix.so but when I log in as a user without a key, I get the standard Password: prompt rather than an opie prompt. What have I failed to set up? Regards, -- --Brad Bradley M. Alexander| storm [at] debian.org Debian Developer, Security Engineer | storm [at] tux.org Debian/GNU Linux Developer | Visit the 99th VFS website at: MCO, 99th VFS 'Tuskegee Airmen' | server2048.virtualave.net/onyx23 Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 Me a sceptic? I hope you have proof. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: deploying pam-opie?
On Sun, May 19, 2002 at 11:46:10PM -0400, Bradley Alexander wrote: Hey all, I'm trying to get pam-opie working with openssh, but I guess I'm not getting the hang of it. I think I have all of the packages installed: [storm@defiant storm]$ dpkg -l | grep opie ii libpam-opie0.21-7 Use OTP's for PAM authentication ii opie-client2.32-8.1 OPIE programs for generating OTPs on client ii opie-server2.32-8.1 OPIE programs for maintaining an OTP key fil I added (I assume you mean to /etc/pam.d/ssh) password required pam_opie.so password required pam_unix.so but when I log in as a user without a key, I get the standard Password: prompt rather than an opie prompt. The 'password' lines in PAM configuration files are for password changing service. If you want to use pam_opie to authenticate, you want something like this: auth sufficient pam_opie.so auth required pam_unix.so pam_opie is marked sufficient, so that if it succeeds, the system dosen't also try to use unix authentication. Also, make sure that PAMAuthenticationViaKbdInt is enabled in your sshd config file. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B - key change\ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 prev. expiredX / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
deploying pam-opie?
Hey all, I'm trying to get pam-opie working with openssh, but I guess I'm not getting the hang of it. I think I have all of the packages installed: [EMAIL PROTECTED] storm]$ dpkg -l | grep opie ii libpam-opie0.21-7 Use OTP's for PAM authentication ii opie-client2.32-8.1 OPIE programs for generating OTPs on client ii opie-server2.32-8.1 OPIE programs for maintaining an OTP key fil I added password required pam_opie.so password required pam_unix.so but when I log in as a user without a key, I get the standard Password: prompt rather than an opie prompt. What have I failed to set up? Regards, -- --Brad Bradley M. Alexander| storm [at] debian.org Debian Developer, Security Engineer | storm [at] tux.org Debian/GNU Linux Developer | Visit the 99th VFS website at: MCO, 99th VFS 'Tuskegee Airmen' | server2048.virtualave.net/onyx23 Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 Me a sceptic? I hope you have proof. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OTP (opie) and ssh
* Carlos Carvalho | I don't see the point of using ssh with otp. They are different | methods to achieve the same goal, and are redundant. No they are not. Unless you are using RSA/DSA authentication, your password goes over the wire. Encrypted, yes, but the server knows your password. And, if you for some reason are on a public terminal, do _you_ trust the client? I wouldn't. -- Tollef Fog Heen Unix _IS_ user friendly... It's just selective about who its friends are. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OTP (opie) and ssh
Hi Carlos, Hi List! On Tue, 19 Sep 2000, Carlos Carvalho wrote: Lots of people are replying about the advantages/disadvantages of using ssh **OR** otp. I fully agree; in fact I installed both here. What I said is that it's nonsense to use ssh **AND** otp at the same time, for the same login. If I understood correctly, Peter's setup of ssh-pam would use otp for the ssh login. Did I miss something? This is the plan. To allow otp as a means of auth, besides rsa and the unix passwd. Why would this not make sense? If I want a remote shell on my computer but cannot trust the local computer, I'll want to use One Time Passwords so my authentification tokens don't get in the hands of the wrong people. So the auth token does not need protection and everything I type and read can be logged at the local box. This however is no reason to give this info as a present to every sniffer who happens to be on a router/network in my route. Additionally ssh protects the session from beeing hijacked (I assume, after all the session key should be secret), which is quite easy to do with a telnet session (yes, it can be hijacked at the local end- point). Furthermore ssh is more than just a remote shell. Port forwarding, scp, remote pipes (or whatever they're called tar cf - foo | \ ssh bar tar xf - ) are nice features too. asbestos suit Away put your flamethrowers! I mean you no harm![1] I also don't like the hack of making ssh refuse logins for valid RSA keys (I only use them, no plain passwords) by just putting an invalid password in /etc/passwd. I'm not sure this was done to ssh-nonfree, but I think it was for openssh. Yes, this is an _EVIL_ hack, that once costed me hours of searching. Anyway, my original question was, wheter my pam config was ok and since noone had something to say about it, I hope it's ok :) References: 1. From: Daniel Burrows [EMAIL PROTECTED] Message-ID: 2904183210.A14044@torrent on -devel Peter -- If a system can be exploited, it will be. Any system can be exploited. PGP signature
Re: OTP (opie) and ssh
Lots of people are replying about the advantages/disadvantages of using ssh **OR** otp. I fully agree; in fact I installed both here. What I said is that it's nonsense to use ssh **AND** otp at the same time, for the same login. If I understood correctly, Peter's setup of ssh-pam would use otp for the ssh login. Did I miss something? asbestos suit Furthermore I usually recompile ssh without pam, because ssh is not just a login protocol. Perhaps this could help Peter. I also don't like the hack of making ssh refuse logins for valid RSA keys (I only use them, no plain passwords) by just putting an invalid password in /etc/passwd. I'm not sure this was done to ssh-nonfree, but I think it was for openssh. /asbestos suit On the subject of authentication, I'd much like to have an authentication daemon (not running as root, preferably) that receives a login/password and says yes or no. I could use it for granting access to certain directories and other things. Can ldap do this? I thought about the ldap-pam module, but haven't explored it.
Re: OTP (opie) and ssh
Hi Carlos, Hi List! On Tue, 19 Sep 2000, Carlos Carvalho wrote: Lots of people are replying about the advantages/disadvantages of using ssh **OR** otp. I fully agree; in fact I installed both here. What I said is that it's nonsense to use ssh **AND** otp at the same time, for the same login. If I understood correctly, Peter's setup of ssh-pam would use otp for the ssh login. Did I miss something? This is the plan. To allow otp as a means of auth, besides rsa and the unix passwd. Why would this not make sense? If I want a remote shell on my computer but cannot trust the local computer, I'll want to use One Time Passwords so my authentification tokens don't get in the hands of the wrong people. So the auth token does not need protection and everything I type and read can be logged at the local box. This however is no reason to give this info as a present to every sniffer who happens to be on a router/network in my route. Additionally ssh protects the session from beeing hijacked (I assume, after all the session key should be secret), which is quite easy to do with a telnet session (yes, it can be hijacked at the local end- point). Furthermore ssh is more than just a remote shell. Port forwarding, scp, remote pipes (or whatever they're called tar cf - foo | \ ssh bar tar xf - ) are nice features too. asbestos suit Away put your flamethrowers! I mean you no harm![1] I also don't like the hack of making ssh refuse logins for valid RSA keys (I only use them, no plain passwords) by just putting an invalid password in /etc/passwd. I'm not sure this was done to ssh-nonfree, but I think it was for openssh. Yes, this is an _EVIL_ hack, that once costed me hours of searching. Anyway, my original question was, wheter my pam config was ok and since noone had something to say about it, I hope it's ok :) References: 1. From: Daniel Burrows [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] on -devel Peter -- If a system can be exploited, it will be. Any system can be exploited. pgprud838MN1t.pgp Description: PGP signature
OTP (opie) and ssh
Hi, I just set up libpam-opie and it works quite well from the console as well as with ssh. Unfortunatly it does not show wich OTPasswd it expects with ssh login but this is another story. In order to get it working I had to change /etc/pam.d/ssh from: | auth required pam_nologin.so | auth required pam_unix.so | auth required pam_env.so # [1] to | auth required pam_nologin.so | auth required pam_env.so # [1] | auth sufficient pam_unix.so | auth sufficient pam_opie.so | auth required pam_deny.so Note that I moved pam_env up before unix and opie so that it always is required. I also added pam_deny as shown in README.Debian as the final catch rule and set unix and opie to sufficient. Did I just open a big root shell on port 22 saying in big flashing yellow letters 'USE ME', or is everything ok? Any suggestions what I might/should change? TIA yours, peter -- PGP encrypted messages preferred. http://www.cosy.sbg.ac.at/~ppalfrad/ [please CC me on lists] PGP signature
Re: OTP (opie) and ssh
I can see the point, because a would be intruder could look over the shoulder of an authorised user, or someone with more priveleges than himself, and watch his password being entered. Then it doesnt matter whether the session is encrypted because the intruder knows the password. the more security the better, as far as i am concerned. -thorsten sideb0ard network/systems engineer On Mon, 18 Sep 2000, Carlos Carvalho wrote: Peter Palfrader ([EMAIL PROTECTED]) wrote on 19 September 2000 00:04: I just set up libpam-opie and it works quite well from the console as well as with ssh. Unfortunatly it does not show wich OTPasswd it expects with ssh login but this is another story. I don't see the point of using ssh with otp. They are different methods to achieve the same goal, and are redundant. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OTP (opie) and ssh
I can see the point, because a would be intruder could look over the shoulder of an authorised user, or someone with more priveleges than himself, and watch his password being entered. Then it doesnt matter whether the session is encrypted because the intruder knows the password. the more security the better, as far as i am concerned. Yes. One should use OPIE when he knows the connection is being eavesdropped at his end and accepts the fact that carrying around a printed sheet of paper with a few OTP-generated passwords is safer (or you could program your PDA, HP49, whatever to generate OTP passwords for you, I suppose) than typing a constant password for the eavesdropper to grab. Otherwise OPIE is (usually) a security risk, as those sheets of paper are NOT a good thing in the hands of just about 99% of the people out there. There are better protocols out there to avoid plain passwords on the wire, and ssh is one of them. I have to use OPIE from work, however the "helpdesk" m***ns force us to have PCanywhere and other such crap installed in our machines. I am not about to let them have my passwords THAT easily if I happen to need to ssh out of M$Winblows to a Real Machine(tm) to get some work done :-) -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh PGP signature
OTP (opie) and ssh
Hi, I just set up libpam-opie and it works quite well from the console as well as with ssh. Unfortunatly it does not show wich OTPasswd it expects with ssh login but this is another story. In order to get it working I had to change /etc/pam.d/ssh from: | auth required pam_nologin.so | auth required pam_unix.so | auth required pam_env.so # [1] to | auth required pam_nologin.so | auth required pam_env.so # [1] | auth sufficient pam_unix.so | auth sufficient pam_opie.so | auth required pam_deny.so Note that I moved pam_env up before unix and opie so that it always is required. I also added pam_deny as shown in README.Debian as the final catch rule and set unix and opie to sufficient. Did I just open a big root shell on port 22 saying in big flashing yellow letters 'USE ME', or is everything ok? Any suggestions what I might/should change? TIA yours, peter -- PGP encrypted messages preferred. http://www.cosy.sbg.ac.at/~ppalfrad/ [please CC me on lists] pgpfuJ6moKciU.pgp Description: PGP signature
Re: OTP (opie) and ssh
Peter Palfrader ([EMAIL PROTECTED]) wrote on 19 September 2000 00:04: I just set up libpam-opie and it works quite well from the console as well as with ssh. Unfortunatly it does not show wich OTPasswd it expects with ssh login but this is another story. I don't see the point of using ssh with otp. They are different methods to achieve the same goal, and are redundant.
Re: OTP (opie) and ssh
I can see the point, because a would be intruder could look over the shoulder of an authorised user, or someone with more priveleges than himself, and watch his password being entered. Then it doesnt matter whether the session is encrypted because the intruder knows the password. the more security the better, as far as i am concerned. -thorsten sideb0ard network/systems engineer On Mon, 18 Sep 2000, Carlos Carvalho wrote: Peter Palfrader ([EMAIL PROTECTED]) wrote on 19 September 2000 00:04: I just set up libpam-opie and it works quite well from the console as well as with ssh. Unfortunatly it does not show wich OTPasswd it expects with ssh login but this is another story. I don't see the point of using ssh with otp. They are different methods to achieve the same goal, and are redundant. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OTP (opie) and ssh
I can see the point, because a would be intruder could look over the shoulder of an authorised user, or someone with more priveleges than himself, and watch his password being entered. Then it doesnt matter whether the session is encrypted because the intruder knows the password. the more security the better, as far as i am concerned. Yes. One should use OPIE when he knows the connection is being eavesdropped at his end and accepts the fact that carrying around a printed sheet of paper with a few OTP-generated passwords is safer (or you could program your PDA, HP49, whatever to generate OTP passwords for you, I suppose) than typing a constant password for the eavesdropper to grab. Otherwise OPIE is (usually) a security risk, as those sheets of paper are NOT a good thing in the hands of just about 99% of the people out there. There are better protocols out there to avoid plain passwords on the wire, and ssh is one of them. I have to use OPIE from work, however the helpdesk m***ns force us to have PCanywhere and other such crap installed in our machines. I am not about to let them have my passwords THAT easily if I happen to need to ssh out of M$Winblows to a Real Machine(tm) to get some work done :-) -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh pgpLrNqIf1oK9.pgp Description: PGP signature
Re: OTP (opie) and ssh
By a one time password system i am not referring to carrying round a sheet of paper, but rather something like the SecureID system, or some kind of automated otp generator, and i belive there is a good one for the Palm platform also. thor On Mon, 18 Sep 2000, Henrique M Holschuh wrote: I can see the point, because a would be intruder could look over the shoulder of an authorised user, or someone with more priveleges than himself, and watch his password being entered. Then it doesnt matter whether the session is encrypted because the intruder knows the password. the more security the better, as far as i am concerned. Yes. One should use OPIE when he knows the connection is being eavesdropped at his end and accepts the fact that carrying around a printed sheet of paper with a few OTP-generated passwords is safer (or you could program your PDA, HP49, whatever to generate OTP passwords for you, I suppose) than typing a constant password for the eavesdropper to grab. Otherwise OPIE is (usually) a security risk, as those sheets of paper are NOT a good thing in the hands of just about 99% of the people out there. There are better protocols out there to avoid plain passwords on the wire, and ssh is one of them. I have to use OPIE from work, however the helpdesk m***ns force us to have PCanywhere and other such crap installed in our machines. I am not about to let them have my passwords THAT easily if I happen to need to ssh out of M$Winblows to a Real Machine(tm) to get some work done :-) -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh
Re: OTP (opie) and ssh
On Mon, 18 Sep 2000, Thorsten Sideb0ard wrote: By a one time password system i am not referring to carrying round a sheet of paper, but rather something like the SecureID system, or some kind of automated otp generator, and i belive there is a good one for the Palm platform also. Yeah, those do solve the worst problem with OPIE. There's nothing wrong with OTPs when properly designed (i.e.: no sheets of paper ;-) ), but since the original poster was talking about OPIE... -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh pgpkaBdUrZqdc.pgp Description: PGP signature
Re: OTP (opie) and ssh
On Mon, Sep 18, 2000 at 09:18:05PM -0300, Henrique M Holschuh wrote: Yeah, those do solve the worst problem with OPIE. There's nothing wrong with OTPs when properly designed (i.e.: no sheets of paper ;-) ), but since the original poster was talking about OPIE... Using OPIE doesn't mean you have to carry around sheets of paper. OPIE is perfectly capable of authenticating against OTPs generated by any S/Key-compatible generator. So.. re-focusing on trying to solve his problem would be a big help to him as well as everyone else. ;) Anyway regarding OPIE usage with OpenSSH, it supports S/Key auth natively but AFAICT the reason OPIE doesn't work correctly has something to do with ssh and/or PAM not being able to print the challenge correctly. I really don't know the whole story, but I was trying to figure a way to get OPIE working with OpenSSH myself and saw something to this effect on the portable OpenSSH development list archive. Seems to me the correct way to support OPIE MAY be to petition the developers to include it. In fact, there is a patch already floating around that does this (seen on the aforementioned list archive), though it was for an older version of OpenSSH so I haven't tried it. Note that I am using a self-compiled installation; that patch may be appropriate for the Debian-provided version... check to see.