On Sat Aug 30 16:43, Steve Langasek wrote: > This is obviously an *incredibly* bad idea for anyone to do if they actually > care about the security of the Debian systems. But we're already talking > about hard policy changes to stop users from doing things they shouldn't do > in the first place (== using passwords when logging in to Debian servers > from their systems), so I don't think you should underestimate the capacity > of developers to be cleverly stupid when security is concerned. If the idea is to remove password access to stop credentials sniffed on one machine being used on another, how about some form of one time password system? The University of Cambridge computer laboratory has recently changed to only allowing OTP or key login to machines using a system written by Markus Kuhn, who has some claim to being a competent security researcher and hence who's system I would trust. This system is called OTPW, has PAM integration and is in Lenny. Markus wrote it to fix some security flaws in the design of other OTP systems such as OPIE. Matt -- Matthew Johnson
Attachment:
signature.asc
Description: Digital signature