Re: Putting OPIE to rest (was: Re: cant login after make installworld: pam_opie.so.6 not found)

2023-01-05 Thread grarpamp 
On 1/5/23, Graham Perrin  wrote:
> I recall the original email

Orthagonal as it, and some notes since neither consider any
potential gap issue or/of any perhaps whimful removal process,
nor moves forward on any of potential better alternatives to that
which were hint (port) a bit in posts even before the removal was taken.
Opie is not some hi-maint lo-api-compat legacy driver holding back
kernel dev, it's a tiny stable user app plugin that just works for decades.
Now users are posting locked out, punted to deploy non-replacements,
and can't even compile it back because code gone from trees in use.
There was hardly reason to remove it (lots of other things could be
considered "outlived usefulness" but don't get removed), and even
if so (as perhaps part of say some larger discuss on pam), there
was zero reason for the removal team not to portify it given
FreeBSD has already set good example of moving even
large/complex user apps from base to ports.
That should have, and still should be done, with opie.

Consider on that process for future,
rather than whatever is thought of some app.

Cheers.

Cc: ports, as the lo-maint hi-api-compat opie could also be
used to +1 their competitive 35k count :)

See also compat{M}x-{arch} packages.

> https://lists.freebsd.org/archives/freebsd-current/2022-September/002565.html
> https://lists.freebsd.org/archives/freebsd-hackers/2022-September/001479.html
> https://lists.freebsd.org/archives/freebsd-security/2022-September/81.html

Re: Putting OPIE to rest

2022-10-16 Thread grarpamp 
On 9/15/22, Dag-Erling Smørgrav  wrote:
> Neither HOTP nor TOTP require dedicated devices.
> HOTP codes are sequential and can be pre-generated...

Those aren't really their intended or advertised usage models,
nor do common implementations support those modes.
Is FreeBSD contributing and supplying ones that do?
OPIE's model already intends for and supports no-device and printout.

To emphasize and extend...
https://lists.freebsd.org/archives/freebsd-current/2022-September/002573.html

It should also be noted that the affected scope here is not just 'FreeBSD users
logging into FreeBSD shell', there are also applications out there that compile
against and use FreeBSD's libopie, some of which are in ports some are not.

OPIE does not exist as a port+package, thus re POLA for users,
it should not be removed until such time as one is provided.

Where is discussion on these.

And why isn't every other 'old, outlived, non-hipster' pam
authentication plugin being
arbitrarily removed and non-portified, such as say tacacs, radius,
krb, rhosts, etc.
And if those pam are there, why then are hip OAUTH HOTP TOTP etc type things
not added, lib-ified, etc.

Re: Putting OPIE to rest

2022-09-15 Thread Dag-Erling Smørgrav 
grarpamp  writes:
> OPIE is the only PAM that allows printing out the future
> secure tokens. Old school, secure, it just works.
>
> HOTP requires hardware, TOTP requires time,
> neither are printable, both of those require some other
> [hackable] hw/sw device that costs $$$ money, and
> those devices all have different threat/failure/admin models
> than simple paper.

Neither HOTP nor TOTP require dedicated devices.  HOTP codes are
sequential and can be pre-generated and printed if that's what you
prefer.

DES
-- 
Dag-Erling Smørgrav - d...@des.no

Re: Putting OPIE to rest

2022-09-15 Thread grarpamp 
On 9/15/22, Dag-Erling Smørgrav  wrote:
> I will be removing OPIE from the main branch within the next few days.
> It has long outlived its usefulness.  Anyone still using it should look
> into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator).
> https://reviews.freebsd.org/D36592

At least so long as PAM remains available, OPIE should be
maintained as a PAM option, and be updated.

OPIE is the only PAM that allows printing out the future
secure tokens. Old school, secure, it just works.

HOTP requires hardware, TOTP requires time,
neither are printable, both of those require some other
[hackable] hw/sw device that costs $$$ money, and
those devices all have different threat/failure/admin models
than simple paper.

If people don't like...
- The hash algo, a volunteer committer can update it to sha256.
- The list of words, a volunteer committer can update it to
read from a list of admin supplied words in:
/etc/opie_words.txt
- The number of words, a volunteer committer can add an
option to the config for that.
- The writeable state breaking in a read-only root, a volunteer
committer can add a config option to point that elsewhere.
- The randomness, a volunteer committer can update it
to modern randomness.

And if people still don't like it, then commit those simple updates,
and push it out to ports, instead of killing users use of it.

Re: Putting OPIE to rest

2022-09-15 Thread J. Hellenthal 
Condolences to OPIE & his family of devs ! 🥀🥀🥀

;)


> On Sep 15, 2022, at 08:45, Dag-Erling Smørgrav  wrote:
> 
> I will be removing OPIE from the main branch within the next few days.
> It has long outlived its usefulness.  Anyone still using it should look
> into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator).
> 
> https://reviews.freebsd.org/D36592
> 
> DES
> -- 
> Dag-Erling Smørgrav - d...@des.no
> 


-- 

J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.