[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OTP (opie) and ssh

Hi Carlos, Hi List!

On Tue, 19 Sep 2000, Carlos Carvalho wrote:

> Lots of people are replying about the advantages/disadvantages of
> using ssh **OR** otp. I fully agree; in fact I installed both here.
> What I said is that it's nonsense to use ssh **AND** otp at the same
> time, for the same login. If I understood correctly, Peter's setup of
> ssh-pam would use otp for the ssh login. Did I miss something?

This is the plan. To allow otp as a means of auth, besides rsa and
the unix passwd.

Why would this not make sense?

If I want a remote shell on my computer but cannot trust the local
computer, I'll want to use One Time Passwords so my authentification
tokens don't get in the hands of the wrong people.

So the auth token does not need protection and everything I type and
read can be logged at the local box. This however is no reason to
give this info as a present to every sniffer who happens to be on a
router/network in my route.

Additionally ssh protects the session from beeing hijacked (I assume,
after all the session key should be secret), which is quite easy to
do with a telnet session (yes, it can be hijacked at the local end-

Furthermore ssh is more than just a remote shell. Port forwarding,
scp, remote pipes (or whatever they're called tar cf - foo | \
ssh bar tar xf -  ) are nice features too.

> <asbestos suit>

Away put your flamethrowers!  I mean you no harm![1]

> I also don't like the hack of making ssh refuse logins for valid RSA
> keys (I only use them, no plain passwords) by just putting an invalid
> password in /etc/passwd. I'm not sure this was done to ssh-nonfree,
> but I think it was for openssh.

Yes, this is an _EVIL_ hack, that once costed me hours of searching.

Anyway, my original question was, wheter my pam config was ok and
since noone had something to say about it, I hope it's ok :)


 1. From: Daniel Burrows <Daniel_Burrows@brown.edu>
    Message-ID: <20000904183210.A14044@torrent>
    on -devel


        If a system can be exploited, it will be.
	        Any system can be exploited.

Attachment: pgpdH4Cat5tCj.pgp
Description: PGP signature

Reply to: