> I can see the point, > because a would be intruder could look over the shoulder of an authorised > user, or someone with more priveleges than himself, and watch his password > being entered. Then it doesnt matter whether the session is encrypted > because the intruder knows the password. > > the more security the better, as far as i am concerned. Yes. One should use OPIE when he knows the connection is being eavesdropped at his end and accepts the fact that carrying around a printed sheet of paper with a few OTP-generated passwords is safer (or you could program your PDA, HP49, whatever to generate OTP passwords for you, I suppose) than typing a constant password for the eavesdropper to grab. Otherwise OPIE is (usually) a security risk, as those sheets of paper are NOT a good thing in the hands of just about 99% of the people out there. There are better protocols out there to avoid plain passwords on the wire, and ssh is one of them. I have to use OPIE from work, however the "helpdesk" m***ns force us to have PCanywhere and other such crap installed in our machines. I am not about to let them have my passwords THAT easily if I happen to need to ssh out of M$Winblows to a Real Machine(tm) to get some work done :-) -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Attachment:
pgpjusjS9nHHq.pgp
Description: PGP signature