[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OTP (opie) and ssh

> I can see the point,
> because a would be intruder could look over the shoulder of an authorised
> user, or someone with more priveleges than himself, and watch his password
> being entered. Then it doesnt matter whether the session is encrypted
> because the intruder knows the password.
> the more security the better, as far as i am concerned.

Yes. One should use OPIE when he knows the connection is being eavesdropped
at his end and accepts the fact that carrying around a printed sheet of
paper with a few OTP-generated passwords is safer (or you could program your
PDA, HP49, whatever to generate OTP passwords for you, I suppose) than
typing a constant password for the eavesdropper to grab.

Otherwise OPIE is (usually) a security risk, as those sheets of paper are
NOT a good thing in the hands of just about 99% of the people out there.
There are better protocols out there to avoid plain passwords on the wire,
and ssh is one of them.

I have to use OPIE from work, however the "helpdesk" m***ns force us to have
PCanywhere and other such crap installed in our machines. I am not about to
let them have my passwords THAT easily if I happen to need to ssh out of
M$Winblows to a Real Machine(tm) to get some work done :-)

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Attachment: pgpLtgAKoZgI0.pgp
Description: PGP signature

Reply to: