In message <147404.54014...@web52106.mail.re2.yahoo.com>, gahn writes:
>
> Thanks Mark:
>
> my machine would load the modules when the system boots up. here is my rc.con
> f:
>
> firewall_enable="YES"
> firewall_script="/etc/ipfw.conf"
> firewall_logging="YES"
>
> does that matter?
It
Thanks Mark:
my machine would load the modules when the system boots up. here is my rc.conf:
firewall_enable="YES"
firewall_script="/etc/ipfw.conf"
firewall_logging="YES"
does that matter?
--- On Mon, 2/9/09, Mark Andrews wrote:
> From: Mark Andrews
> Subject: Re: ipv6 and ipfw
> To: ipfr
In message <416026.72989...@web52103.mail.re2.yahoo.com>, gahn writes:
> Thanks Mark:
>
> Sorry I am using FreeBSD 7.1.
>
> Best
FreeBSD 6's ipfw has IPv6 support so I presume 7's does as well.
Note I build my kernel with the following options as I want
forwarding.
My use case is primarily to log in from highly untrusted and
malware infested systems. OPIE has been a usable solution to
that problem. I'm primarily worried about keyloggers and USB
memory stick content dumpers. OPIE fits that bill quite well.
It does, but *only* if you are running your own
Thanks Mark:
Sorry I am using FreeBSD 7.1.
Best
--- On Mon, 2/9/09, Mark Andrews wrote:
> From: Mark Andrews
> Subject: Re: ipv6 and ipfw
> To: ipfr...@yahoo.com
> Cc: "freebsd security"
> Date: Monday, February 9, 2009, 3:14 PM
> In message
> <856498.31257...@web52106.mail.re2.yahoo.com>,
That's what I do -- multiple throw-away keys on a USB stick, for
emergencies. However if you're that paranoid you better be carrying
around your own set of ssh binaries on that stick as well.
Your own SSH binaries don't help; you can sniff the TTYs (or whatever the
Windows equivalent is for
In message <856498.31257...@web52106.mail.re2.yahoo.com>, gahn writes:
> Hi all:
>
> I have a station that has multiple interfaces. Some of interfaces run both ip
> v4 and ipv6. checked with man pages of rc.conf and it seems to be telling me
> that ipfw for ipv4 and ipv6 are two different proces
Hi all:
I have a station that has multiple interfaces. Some of interfaces run both ipv4
and ipv6. checked with man pages of rc.conf and it seems to be telling me that
ipfw for ipv4 and ipv6 are two different processes and need two different
scripts.
Is it correct? Or anyone here can direct me
Lyndon Nerenberg 2009-02-09:
> >Right, but that's not the problem they're trying to solve.
> >They're trying to solve the problem of logging in _from_ an
> >untrusted machine, to a trusted machine.
>
> Okay, I got it backawrds.
>
> >So, an alternative might be to carry around a USB key with a
>
I also prefer current OPIE to copying SSH private keys to untrusted
machines.
The machine you are logging IN TO does not require your private key,
just your public key.
Right, but that's not the problem they're trying to solve. They're trying
to solve the problem of logging in _from_ an u
Right, but that's not the problem they're trying to solve. They're trying to
solve the problem of logging in _from_ an untrusted machine, to a trusted
machine.
Okay, I got it backawrds.
So, an alternative might be to carry around a USB key with a one-time private
key, different from your nor
While I agree that OPIE can be improved, I think that the current
OPIE implementation is still much better than having to use
passwords from untrusted machines. I also prefer current OPIE to
copying SSH private keys to untrusted machines. So until there
is a more secure alternative, I really don
Benjamin Lutz 2009-02-09:
[...]
> Then I noticed that the one time passwords don't increase in
> length with SHA-1. That's weird, since MD5 produces 128bit
> digests, while SHA-1 produces 160bit digests. So I had a closer
> look at how the one time passwords are used with in OPIE.
>
> I was a bit
Benjamin Lutz writes:
> I was a bit shocked to find out that OPIE truncates all digests to 64 bits,
> no matter which algorithm you use. Some quick research into the current
> speed of MD5 brute-forcing produced this result:
> [...]
> So, is there an existing alternative one time password implem
On Feb 7, 2009, at 11:21 PM, Robert Watson wrote:
I'm trying to upgrade the configuration of some web services,
already using the MAC subsystem, to use ZFS instead of UFS, but I
see that ZFS doesn't support MAC labels, even for a whole
filesystem, which would be fine for me, I don't need m
Hello,
I run a firewall where I use OPIE one time passwords for external logins,
figuring that this gives me some added protections if I ever need to access
it from untrustworthy hosts. A message about the weakness of MD5 got me
thinking that maybe a better algorithm could be used for OPIE, and
16 matches
Mail list logo
