Re: OTP (opie) and ssh

To: debian-security@lists.debian.org
Subject: Re: OTP (opie) and ssh
From: Peter Palfrader <ppalfrad@cosy.sbg.ac.at>
Date: Wed, 20 Sep 2000 00:41:12 +0200
Message-id: <[🔎] 20000920004112.A20650@nautilus.noreply.org>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 14791.55474.770915.705143@hoggar.fisica.ufpr.br>; from carlos@fisica.ufpr.br on Tue, Sep 19, 2000 at 18:20:50 -0300
References: <[🔎] 20000919000436.D11947@marvin.ibk.palfrader.org> <[🔎] 14790.41394.908.221717@hoggar.fisica.ufpr.br> <[🔎] 87bsxk35lx.fsf@arabella.intern.opera.no> <[🔎] 14791.55474.770915.705143@hoggar.fisica.ufpr.br>

Hi Carlos, Hi List!

On Tue, 19 Sep 2000, Carlos Carvalho wrote:

> Lots of people are replying about the advantages/disadvantages of
> using ssh **OR** otp. I fully agree; in fact I installed both here.
> 
> What I said is that it's nonsense to use ssh **AND** otp at the same
> time, for the same login. If I understood correctly, Peter's setup of
> ssh-pam would use otp for the ssh login. Did I miss something?

This is the plan. To allow otp as a means of auth, besides rsa and
the unix passwd.

Why would this not make sense?

If I want a remote shell on my computer but cannot trust the local
computer, I'll want to use One Time Passwords so my authentification
tokens don't get in the hands of the wrong people.

So the auth token does not need protection and everything I type and
read can be logged at the local box. This however is no reason to
give this info as a present to every sniffer who happens to be on a
router/network in my route.

Additionally ssh protects the session from beeing hijacked (I assume,
after all the session key should be secret), which is quite easy to
do with a telnet session (yes, it can be hijacked at the local end-
point).

Furthermore ssh is more than just a remote shell. Port forwarding,
scp, remote pipes (or whatever they're called tar cf - foo | \
ssh bar tar xf -  ) are nice features too.

> <asbestos suit>

Away put your flamethrowers!  I mean you no harm![1]

> I also don't like the hack of making ssh refuse logins for valid RSA
> keys (I only use them, no plain passwords) by just putting an invalid
> password in /etc/passwd. I'm not sure this was done to ssh-nonfree,
> but I think it was for openssh.

Yes, this is an _EVIL_ hack, that once costed me hours of searching.

Anyway, my original question was, wheter my pam config was ok and
since noone had something to say about it, I hope it's ok :)

References:

 1. From: Daniel Burrows <Daniel_Burrows@brown.edu>
    Message-ID: <20000904183210.A14044@torrent>
    on -devel

Peter

-- 
        If a system can be exploited, it will be.
	        Any system can be exploited.

Attachment: pgpdH4Cat5tCj.pgp
Description: PGP signature

Reply to:

References:
- OTP (opie) and ssh
  - From: Peter Palfrader <ppalfrad@cosy.sbg.ac.at>
- Re: OTP (opie) and ssh
  - From: Carlos Carvalho <carlos@fisica.ufpr.br>
- Re: OTP (opie) and ssh
  - From: Tollef Fog Heen <tollef@add.no>
- Re: OTP (opie) and ssh
  - From: Carlos Carvalho <carlos@fisica.ufpr.br>

Prev by Date: Re: Need help analyzing firewall log message
Next by Date: Re: [SECURITY] New versions of sysklogd released
Previous by thread: Re: OTP (opie) and ssh
Next by thread: playing with traffic shaper
Index(es):
- Date
- Thread