I also prefer current OPIE to copying SSH private keys to untrusted machines.
The machine you are logging IN TO does not require your private key, just your public key.
Right, but that's not the problem they're trying to solve. They're trying to solve the problem of logging in _from_ an untrusted machine, to a trusted machine.
So, an alternative might be to carry around a USB key with a one-time private key, different from your normal private keys, and have the public key command-squashed on the server to remove itself from authorized_keys before running the shell.
You could generate several, each with a different passphrase (assuming that you could manage to remember that many passphrases and which keys they go with), and get a similar effect to printing out a card with the next ten OPIE passwords.
-Jason _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
