Re: PHK's MD5 might not be slow enough anymore
Matthew Dillon <dillon@apollo.backplane.com> writes:
> The vast majority of BSD users don't need PAMs capabilities when it
> comes to ssh.
You clearly don't understand what PAM does.
> And if you are really going to insist on changing the option around
> the least you could have done was uncomment the related options and
> set them to a definitive 'no' value (that would be ChallengeResponse
> at the very least) when you made the other changes.
You clearly don't understand what the ChallengeResponse option does.
> In anycase, I think Mr Barton's posting was excellent. We already
> ship with PasswordAuthentication set to 'no' and, of course, PAM is
> disabled by default, but I am going to make further adjustments to
> our sshd_config based on Doug's suggestions plus I will also
> uncomment ChallengeResponseAuthentication and set that to 'no' too
> as a further safety measure.
....leaving your users with no other option than keys. No OPIE, no
Radius, no nothing - just keys. You do realize that users have the
option to store their keys unencrypted, and there is nothing you can do
on the server side do to prevent them? That's even *less* secure than
passwords.
DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 34 之 35 篇):