[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OTP (opie) and ssh

By a one time password system i am not referring to carrying round a sheet
of paper, but rather something like the SecureID system, or some kind of
automated otp generator, and i belive there is a good one for the Palm
platform also.


On Mon, 18 Sep 2000, Henrique M Holschuh wrote:

> > I can see the point,
> > because a would be intruder could look over the shoulder of an authorised
> > user, or someone with more priveleges than himself, and watch his password
> > being entered. Then it doesnt matter whether the session is encrypted
> > because the intruder knows the password.
> > 
> > the more security the better, as far as i am concerned.
> Yes. One should use OPIE when he knows the connection is being eavesdropped
> at his end and accepts the fact that carrying around a printed sheet of
> paper with a few OTP-generated passwords is safer (or you could program your
> PDA, HP49, whatever to generate OTP passwords for you, I suppose) than
> typing a constant password for the eavesdropper to grab.
> Otherwise OPIE is (usually) a security risk, as those sheets of paper are
> NOT a good thing in the hands of just about 99% of the people out there.
> There are better protocols out there to avoid plain passwords on the wire,
> and ssh is one of them.
> I have to use OPIE from work, however the "helpdesk" m***ns force us to have
> PCanywhere and other such crap installed in our machines. I am not about to
> let them have my passwords THAT easily if I happen to need to ssh out of
> M$Winblows to a Real Machine(tm) to get some work done :-)
> -- 
>   "One disk to rule them all, One disk to find them. One disk to bring
>   them all and in the darkness grind them. In the Land of Redmond
>   where the shadows lie." -- The Silicon Valley Tarot
>   Henrique Holschuh

Reply to: