[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: Re: Putting OPIE to rest
From: Joe Schaefer <joesuf4 () gmail ! com>
Date: 2022-09-16 17:46:25
Message-ID: CAOzHqcLvZUqdJGMMPJgUMQpLs12HTL7HL_2nso6xMJthOkFNMw () mail ! gmail ! com
[Download RAW message or body]
Answering my own question: yes it can, but there's no "challenge" string
for TOTP nor HOTP.
If you want sha-1 in an "opie" framework, check out
https://github.com/SunStarSys/orthrus
On Thu, Sep 15, 2022 at 7:31 PM Joe Schaefer <joesuf4@gmail.com> wrote:
> google-authenticator-libpam works for sudo controls?
>
> On Thu, Sep 15, 2022 at 7:01 PM grarpamp <grarpamp@gmail.com> wrote:
>
>> On 9/15/22, Dag-Erling Sm=C3=B8rgrav <des@des.no> wrote:
>> > I will be removing OPIE from the main branch within the next few days.
>> > It has long outlived its usefulness. Anyone still using it should loo=
k
>> > into OATH HOTP / TOTP instead (cf. security/pam_google_authenticator).
>> > https://reviews.freebsd.org/D36592
>>
>> At least so long as PAM remains available, OPIE should be
>> maintained as a PAM option, and be updated.
>>
>> OPIE is the only PAM that allows printing out the future
>> secure tokens. Old school, secure, it just works.
>>
>> HOTP requires hardware, TOTP requires time,
>> neither are printable, both of those require some other
>> [hackable] hw/sw device that costs $$$ money, and
>> those devices all have different threat/failure/admin models
>> than simple paper.
>>
>> If people don't like...
>> - The hash algo, a volunteer committer can update it to sha256.
>> - The list of words, a volunteer committer can update it to
>> read from a list of admin supplied words in:
>> /etc/opie_words.txt
>> - The number of words, a volunteer committer can add an
>> option to the config for that.
>> - The writeable state breaking in a read-only root, a volunteer
>> committer can add a config option to point that elsewhere.
>> - The randomness, a volunteer committer can update it
>> to modern randomness.
>>
>> And if people still don't like it, then commit those simple updates,
>> and push it out to ports, instead of killing users use of it.
>>
>>
[Attachment #3 (text/html)]
<div dir="ltr">Answering my own question: yes it can, but there's no \
"challenge" string for TOTP nor HOTP.<div>If you want sha-1 in an \
"opie" framework, check out <a \
href="https://github.com/SunStarSys/orthrus">https://github.com/SunStarSys/orthrus</a></div><div><br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 15, 2022 at 7:31 PM \
Joe Schaefer <<a href="mailto:joesuf4@gmail.com">joesuf4@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="auto">google-authenticator-libpam works for sudo controls?</div><div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 15, 2022 at 7:01 PM \
grarpamp <<a href="mailto:grarpamp@gmail.com" \
target="_blank">grarpamp@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">On 9/15/22, Dag-Erling Smørgrav <<a \
href="mailto:des@des.no" target="_blank">des@des.no</a>> wrote:<br> > I will be \
removing OPIE from the main branch within the next few days.<br> > It has long \
outlived its usefulness. Anyone still using it should look<br> > into OATH HOTP \
/ TOTP instead (cf. security/pam_google_authenticator).<br> > <a \
href="https://reviews.freebsd.org/D36592" rel="noreferrer" \
target="_blank">https://reviews.freebsd.org/D36592</a><br> <br>
At least so long as PAM remains available, OPIE should be<br>
maintained as a PAM option, and be updated.<br>
<br>
OPIE is the only PAM that allows printing out the future<br>
secure tokens. Old school, secure, it just works.<br>
<br>
HOTP requires hardware, TOTP requires time,<br>
neither are printable, both of those require some other<br>
[hackable] hw/sw device that costs $$$ money, and<br>
those devices all have different threat/failure/admin models<br>
than simple paper.<br>
<br>
If people don't like...<br>
- The hash algo, a volunteer committer can update it to sha256.<br>
- The list of words, a volunteer committer can update it to<br>
read from a list of admin supplied words in:<br>
/etc/opie_words.txt<br>
- The number of words, a volunteer committer can add an<br>
option to the config for that.<br>
- The writeable state breaking in a read-only root, a volunteer<br>
committer can add a config option to point that elsewhere.<br>
- The randomness, a volunteer committer can update it<br>
to modern randomness.<br>
<br>
And if people still don't like it, then commit those simple updates,<br>
and push it out to ports, instead of killing users use of it.<br>
<br>
</blockquote></div></div>
</blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic