Re: Use opie on Debian central servers to prevent password sniffing?

[Philippe Troin <phil@fifi.org>]

Tim Freeman <tim@fungible.com> writes:

> At
> http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.html
> it says the Debian machines were compromised by password sniffing from
> other compromised machines.  If you use one time passwords instead,
> then password sniffing doesn't yield useful information and the damage
> from this sort of failure would be more limited.
> 
> As you probably know, the packages for that are opie-server and
> libpam-opie on the server, and opie-client on the client.  You'd also
> have to edit /etc/pam.d/{login,ssh} to mention libpam-opie, at least.
> Finding and installing a skey calculator on a personal organizer is
> probably better than using opie-client on a machine that's connected
> to the internet and therefore conceivably compromised.  To discourage
> people from typing into a potentially compromised machine, you certainly
> don't want to have opie-client installed on any central server.
> 
> I just started using opie on fungible.com, and it seems to work well
> so far.
> 
> Is there some issue with opie that would cause problems when using it
> on the Debian servers?

I haven't look at OPIE for ages, but when using it with ssh, doesn't
it force you to turn privilege separation off in /etc/ssh/sshd_config?

Maybe the ssh people fixed this issue since.

Phil.