Untrusted terminals: OPIE vs security/pam_google_authenticator
Robert Simmons
rsimmons0 at gmail.com
Tue Jun 18 13:10:50 UTC 2019
I am thinking about it from the perspective of having one single 2fa across
as many systems as possible.
On Tue, Jun 18, 2019, 09:09 Robert Simmons <rsimmons0 at gmail.com> wrote:
> You are correct for SSH.
>
> On Tue, Jun 18, 2019, 09:07 Dan Langille <dan at langille.org> wrote:
>
>> On Jun 18, 2019, at 9:02 AM, Robert Simmons <rsimmons0 at gmail.com> wrote:
>>
>> On Tue, Jun 18, 2019, 04:01 Victor Sudakov <vas at mpeks.tomsk.su> wrote:
>>
>> Dear Colleagues,
>>
>> I've used OPIE for many years (and S/Key before that) to login to my
>> system from untrusted terminals (cafes, libraries etc).
>>
>> Now I've read an opinion that OPIE is outdated (and indeed its upstream
>> distribution is gone) and that pam_google_authenticator would be more
>> secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237270
>>
>> Is that truly so? With 20 words in OPIE and only 6 digits in
>> pam_google_authenticator, how strong is pam_google_authenticator against
>> brute force and other attacks?
>>
>>
>> Victor,
>>
>> To throw a new wrinkle in the equation: Google Authenticator codes can be
>> intercepted by a phishing page. U2F protocol is even better, and can't be
>> intercepted via phishing.
>>
>> There are U2F libraries in ports.
>>
>> https://en.wikipedia.org/wiki/Universal_2nd_Factor
>>
>> Cheers,
>> Rob
>>
>>
>>
>> If my Google Authenticator codes are on my phone, and I'm entering them
>> into my ssh session, how is a phishing page involved?
>>
>> —
>> Dan Langille
>> http://langille.org/
>>
>>
>>
>>
>>
>>
More information about the freebsd-security
mailing list