Re: OPIE considered insecure
--bIUMYB+SOIcERsee
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Mar 02, 2009 at 01:19:32PM -0800, Chris Palmer wrote:
> ...
> Benjamin Lutz writes:
>=20
> > Because the inconvience of not using whatever service or data the serve=
r is=20
> > providing is considered greater than the security risk.
>=20
> But isn't regular password authentication the most convenient of all?
Not in my experience, no.
I configure ~/.xsession to run "eval `ssh-agent`" and "ssh-add" very
early, so all processes run under that environment get the benefit of
the cached authentication credentials I thus set up. Then I can login
to most machines I care about directly, without requiring additional
authentication.
To me, that's far more convenient than ensuring that I'm around & paying
attention whenever some random process (e.g., a CVS update) wants a
password.
And I strongly suspect that it's better security than a password.
For my externally-visible sshd, there's no way I'd use a reusable
password for authentication. As things presently stand, I only permit
SSH public key authentication for that use.
> ...
Peace,
david
--=20
David H. Wolfskill david@catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
--bIUMYB+SOIcERsee
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkmsT/kACgkQmprOCmdXAD2ivQCeKB6/L0JQU62x1DEwVJOF12Wk
hj8Anjb+SjyCQqCBUCjHuiGDCk2XPyeo
=lFaY
-----END PGP SIGNATURE-----
--bIUMYB+SOIcERsee--
討論串 (同標題文章)
完整討論串 (本文為第 6 之 7 篇):