Re: It's not possible to allow non-OPIE logins only from trusted

看板FB_security作者時間14年前 (2011/03/13 06:32), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串14/26 (看更多)
S=C3=A1b, 2011-03-12 =C3=A0s 12:12 +0000, Lionel Flandrin escreveu: (...) > Even with SSH/HTTPS you're at risk if someone hijacks your session not > by man-in-the-middle'ing your network connection but by using a > keylogger directly on your guest OS or even on your USB port. (...) > By the way, I'm working on a dirty hack right now that would in effect > give me that: I plan to modify the OTP calculator I use so that it > would save only a portion of the passphrase, and I would have to enter > the last few characters (say, a 4 digit PIN-like code) by hand each > time. This way I can have a complex non-bruteforceable passphrase that > I can store on my trusted cellphone plus something that protects me > for a while if my cellphone gets stolen. It's still a dirty hack tho. The math of that sounds a bit hard... You're talking about OTPW, not OPIE, is it? (...) > Again, encryption will not stop a keylogger on an untrusted > computer. Everything is still clear text until it's written into the > SSL/SSH socket. And it's not exactly difficult or super expensive to > install: http://www.amazon.com/dp/B004IA69YE Well a device like that would catch me any time (hackers, welcome!), even when I use OPIE (because I don't use a separate device, a cell phone). Somewhere we have to draw a line, and my line is there. But when I look around me, to my physical/social environment, I feel pretty confident. I guess the most real risk I face is someone pointing a knife at me... My problem with passwords, even passwords generated by dd if=3D/dev/random bs=3D6 count=3D1 | base64, is seeing dozens, sometimes hundreds of login attempts per day at any SSH server I open. Even though they're stupid attempts, which don't even guess a valid username (which is pretty easy, let me tell you), they make me feel that an 8 random character password can be guessed by accident. In my physical environment, I don't see the slightest threat (at least not one which does not involve knives). --=20 Miguel Ramos <mbox@miguel.ramos.name> PGP A006A14C _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 mbox. 的文章
文章代碼(AID): #1DU_HZP- (FB_security)
討論串 (同標題文章)
完整討論串 (本文為第 14 之 26 篇):
排序: 最新先 | 最舊先 | 留言數
在新視窗開啟完整討論串 (共26篇)
更多 mbox. 的文章
文章代碼(AID): #1DU_HZP- (FB_security)