Thus spake Gregory Neil Shapiro <[EMAIL PROTECTED]>:
> Interestingly enough, pam_opieaccess doesn't help at all in this
> situation.  The remote user is still prompted for their plain text
> password, it just isn't accepted.  However, the damage is already done -- a
> compromised ssh client would have already recorded the password typed in.
> For opie_access to be of any use, it would have to print a warning telling
> users not to type in their plain text password and cause ssh not to ask for
> that password after the OTP queries fail (effectively, disable password as
> one of the authentication techniques early on).

A compromised SSH client would probably ask for the real password
anyway, but I suppose it would be a tip-off if all the real SSH
clients only asked for OTPs.  OPIE helps if someone is sniffing
your terminal, but it's practically useless if you assume that the
SSH client is compromised.  SSH connections can be multiplexed, so
I imagine it would be easy to transparently hijack an
authenticated session.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to