Re: Use opie on Debian central servers to prevent password sniffing?
Tim Freeman <tim@fungible.com> writes:
> At
> http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.html
> it says the Debian machines were compromised by password sniffing from
> other compromised machines. If you use one time passwords instead,
> then password sniffing doesn't yield useful information and the damage
> from this sort of failure would be more limited.
>
> As you probably know, the packages for that are opie-server and
> libpam-opie on the server, and opie-client on the client. You'd also
> have to edit /etc/pam.d/{login,ssh} to mention libpam-opie, at least.
> Finding and installing a skey calculator on a personal organizer is
> probably better than using opie-client on a machine that's connected
> to the internet and therefore conceivably compromised. To discourage
> people from typing into a potentially compromised machine, you certainly
> don't want to have opie-client installed on any central server.
>
> I just started using opie on fungible.com, and it seems to work well
> so far.
>
> Is there some issue with opie that would cause problems when using it
> on the Debian servers?
I haven't look at OPIE for ages, but when using it with ssh, doesn't
it force you to turn privilege separation off in /etc/ssh/sshd_config?
Maybe the ssh people fixed this issue since.
Phil.
Reply to: