Sex, 2011-03-11 às 21:15 +, Miguel Lopes Santos Ramos escreveu:
> Here's a scratch.
>
> I added an option, called "require_trusted", which enforces the trusted
> network check even for users which do not have OPIE enabled.
> If this option is not used, behaviour is unchanged.
>
> The name "re
Quoting Dag-Erling Smørgrav (from Wed, 16 Mar 2011
07:52:11 +0100):
Miguel Lopes Santos Ramos writes:
They also make the questionable argument of a paper being more
portable than a calculator, which I also understand but don't agree,
because a calculator can be "transported" over the Inter
RW writes:
> Dag-Erling Smørgrav writes:
> > RW writes:
> > > IIRC there is/was a weakness in FreeBSD's OPIE implementation in
> > > that it's susceptible to rainbow table attacks - I think part of
> > > the hash is discarded.
> > Can you provide more details?
> http://lists.freebsd.org/pipermai
Miguel Lopes Santos Ramos writes:
> They also make the questionable argument of a paper being more
> portable than a calculator, which I also understand but don't agree,
> because a calculator can be "transported" over the Internet easily.
Perhaps, perhaps not. It depends on how much you trust t
On Tue, Mar 15, 2011 at 09:02:56PM +, Miguel Lopes Santos Ramos wrote:
>
> Dom, 2011-03-13 às 22:05 +, RW escreveu:
> > On Sun, 13 Mar 2011 21:06:17 +
> > Miguel Lopes Santos Ramos wrote:
> > > Ok, admittedly, it took me a while to see in what way that could be a
> > > weekness. It's
Dom, 2011-03-13 às 22:05 +, RW escreveu:
> On Sun, 13 Mar 2011 21:06:17 +
> Miguel Lopes Santos Ramos wrote:
> > Ok, admittedly, it took me a while to see in what way that could be a
> > weekness. It's a bit like hoping for a little remaining security after
> > the password list was compr
On Tue, 15 Mar 2011 11:35:06 +0100
Dag-Erling Smørgrav wrote:
> RW writes:
> > IIRC there is/was a weakness in FreeBSD's OPIE implementation in
> > that it's susceptible to rainbow table attacks - I think part of
> > the hash is discarded.
>
> Can you provide more details?
http://lists.freebsd
Miguel Lopes Santos Ramos writes:
> Ok, admittedly, it took me a while to see in what way that could be a
> weekness. It's a bit like hoping for a little remaining security after
> the password list was compromised.
OPIE is not designed to protect against a stolen password list; it is
designed to
RW writes:
> IIRC there is/was a weakness in FreeBSD's OPIE implementation in that
> it's susceptible to rainbow table attacks - I think part of the hash
> is discarded.
Can you provide more details?
AFAIK, OPIE was written to be 100% compatible with S/Key, so any
weakness in OPIE is a design fl
On Sun, 13 Mar 2011 21:06:17 +
Miguel Lopes Santos Ramos wrote:
>
> Seg, 2011-03-14 às 07:40 +1100, Peter Jeremy escreveu:
> > On 2011-Mar-10 23:09:07 +, Miguel Lopes Santos Ramos
> > wrote:
> > >- The objection on S/KEY on that wiki page, that it's possible to
> > >compute all previous
On 2011-Mar-10 23:09:07 +, Miguel Lopes Santos Ramos
wrote:
>- The objection on S/KEY on that wiki page, that it's possible to
>compute all previous passwords, is a bit odd, since past passwords won't
>be used anymore.
One weakness of S/KEY and OPIE is that if an attacker finds the
password
Seg, 2011-03-14 às 07:40 +1100, Peter Jeremy escreveu:
> On 2011-Mar-10 23:09:07 +, Miguel Lopes Santos Ramos
> wrote:
> >- The objection on S/KEY on that wiki page, that it's possible to
> >compute all previous passwords, is a bit odd, since past passwords won't
> >be used anymore.
>
> One
Sáb, 2011-03-12 às 12:12 +, Lionel Flandrin escreveu:
(...)
> Even with SSH/HTTPS you're at risk if someone hijacks your session not
> by man-in-the-middle'ing your network connection but by using a
> keylogger directly on your guest OS or even on your USB port.
(...)
> By the way, I'm working
On Thu, Mar 10, 2011 at 11:09:07PM +, Miguel Lopes Santos Ramos wrote:
>
> Qui, 2011-03-10 às 20:26 +, Lionel Flandrin escreveu:
> > On Thu, Mar 10, 2011 at 07:12:41PM +, Miguel Lopes Santos Ramos wrote:
> > >
> > > Thanks. I'll probably be looking into that sooner or latter.
> > >
>
Here's a scratch.
I added an option, called "require_trusted", which enforces the trusted
network check even for users which do not have OPIE enabled.
If this option is not used, behaviour is unchanged.
The name "require_trusted" is catchy and compeling to use. However, if
it was used in default
On Fri, Mar 11, 2011 at 10:47:26AM +0100, Dag-Erling Smørgrav wrote:
> Lionel Flandrin writes:
> > I'd try to install and configure OTPW on my server to replace OPIE,
> > but it's not in the ports and I don't know PAM well enough to try and
> > mess with it, I would probably end up opening more se
Sex, 2011-03-11 às 10:46 +0100, Dag-Erling Smørgrav escreveu:
> Miguel Lopes Santos Ramos writes:
> > 1. The user does not have OPIE enabled and the remote host is listed as
> > a trusted host in /etc/opieaccess.
> > 2. The user has OPIE enabled and the remote host is listed as a trusted
> > host
Lionel Flandrin writes:
> I'd try to install and configure OTPW on my server to replace OPIE,
> but it's not in the ports and I don't know PAM well enough to try and
> mess with it, I would probably end up opening more security holes than
> I'm fixing.
If it's as good as the ad copy says it is, a
Miguel Lopes Santos Ramos writes:
> 1. The user does not have OPIE enabled and the remote host is listed as
> a trusted host in /etc/opieaccess.
> 2. The user has OPIE enabled and the remote host is listed as a trusted
> host in /etc/opieaccess, and the user does not have a file
> named .opiealway
Qui, 2011-03-10 às 20:26 +, Lionel Flandrin escreveu:
> On Thu, Mar 10, 2011 at 07:12:41PM +, Miguel Lopes Santos Ramos wrote:
> >
> > Thanks. I'll probably be looking into that sooner or latter.
> >
> > However, OPIE, nobody cares about OPIE?
>
> Hi,
>
> I do care about OPIE,
Thanks!
On Thu, 10 Mar 2011 10:00, mbox@ wrote:
/etc/profile
grep "^${LOGNAME} " /etc/opiekeys ||/usr/bin/opiepasswd -c
Yes, or /usr/bin/opiepasswd -d. In general, this is a problem of keeping
-d would not be correct for the above example as opiepasswd would run if
the user was not found. If the use
On Thu, Mar 10, 2011 at 07:12:41PM +, Miguel Lopes Santos Ramos wrote:
>
> Qui, 2011-03-10 às 19:20 +0100, Remko Lodder escreveu:
> > > Yes, that's right. That would solve a whole lot of other problems too.
> > > It's true that I'm using SSH in many cases just as an easy to administer
> > > VP
Qui, 2011-03-10 às 19:20 +0100, Remko Lodder escreveu:
> > Yes, that's right. That would solve a whole lot of other problems too.
> > It's true that I'm using SSH in many cases just as an easy to administer
> > VPN. I've been postponing that for years. But I would need something
> > that worked wi
>>
>
> Yes, that's right. That would solve a whole lot of other problems too.
> It's true that I'm using SSH in many cases just as an easy to administer
> VPN. I've been postponing that for years. But I would need something
> that worked with FreeBSD and Gentoo (don't want to learn two tools) and
Qui, 2011-03-10 às 02:23 -0500, J. Hellenthal escreveu:
> On Wed, 9 Mar 2011 09:51, mbox@ wrote:
> >
> > I think the way pam_opieaccess behaves is like "leave a security breach
> > by default". I think it would be more usefull if it returned PAM_SUCCESS
> > when:
> >
> > 1. The user does not have
On Wed, 9 Mar 2011 09:51, mbox@ wrote:
I think the way pam_opieaccess behaves is like "leave a security breach
by default". I think it would be more usefull if it returned PAM_SUCCESS
when:
1. The user does not have OPIE enabled and the remote host is listed as
a trusted host in /etc/opieacces
Hi,
This is about pam_opieaccess. Because there's no project page for OPIE
outside FreeBSD and because I found other complaints on pam_opieaccess
on this list
(http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0118.html),
I'm posting this here, I hope it's OK.
For a few years now
27 matches
Mail list logo
