On Thu, Mar 10, 2011 at 07:12:41PM +0000, Miguel Lopes Santos Ramos wrote: > > Qui, 2011-03-10 às 19:20 +0100, Remko Lodder escreveu: > > > Yes, that's right. That would solve a whole lot of other problems too. > > > It's true that I'm using SSH in many cases just as an easy to administer > > > VPN. I've been postponing that for years. But I would need something > > > that worked with FreeBSD and Gentoo (don't want to learn two tools) and > > > for any client. > > > > > > > > so with the pfsense project we have this thing integrated that is called > > OpenVPN. > > Hell, I use it between multiple FreeBSD boxes to create a 'secure' (quotes > > because > > it's as secure as possible in this world :)) network between them. I pushed > > it to my > > parents who are (sigh) using Windows, I use it from my Mac (Viscosity) and > > hell > > it even works on Linux/Gentoo.. > > > > And it's all.. free :-) > > > > Cheers > > Remko > > Thanks. I'll probably be looking into that sooner or latter. > > However, OPIE, nobody cares about OPIE?
Hi, I do care about OPIE, but it has many shortcomings arguably more critical than the one you're pointing out. What bothers me most is the absence of a prefix password and the possibility that someone may highjack my session if he's replaying my input and sends the \n before I do. See the wikipedia page about OTPW[1] for a more detailed explanation about that. OTPW is an alternative to OPIE that aims at correcting these issues. I'd try to install and configure OTPW on my server to replace OPIE, but it's not in the ports and I don't know PAM well enough to try and mess with it, I would probably end up opening more security holes than I'm fixing. Since these days many of us use cell phones where it's easy to write and distribute challenge/response generators I don't understand why there seems to be so little interest in developing and improving one time passwords solutions (including for websites, I wonder how many facebook/twitter/whatever accounts I could steal by putting keyloggers in an internet cafe). I would gladly look into it myself but the subject is so security critical that I'm a little put off. If one of you knows of a project working on improving or replacing OPIE, I would gladly look into it and try to contribute if I can. Maybe this project _is_ OTPW? Why isn't it in the ports yet when the Wikipedia article claims it supports FreeBSD? Has anyone here tried it? As for OpenVPN, it is a really good piece of software and you should have a look at it, but I can imagine scenarios where a one time password would be better suited than a complete VPN setup (For instance I use OPIE and shellinabox[2] over HTTPS to connect to my server from anywhere I can find a web browser, no need to install any additional software). [1] https://secure.wikimedia.org/wikipedia/en/wiki/OTPW [2] https://code.google.com/p/shellinabox/ Cheers, -- Lionel Flandrin
pgpv6vROQ3WHb.pgp
Description: PGP signature
