[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Otpasswd-talk] Using OTP to kind of fix MITM.
|
From: |
Hannes Beinert |
|
Subject: |
Re: [Otpasswd-talk] Using OTP to kind of fix MITM. |
|
Date: |
Tue, 22 Dec 2009 17:49:20 -0600 |
On Tue, Dec 22, 2009 at 17:17, Luke Faraone <address@hidden> wrote:
> On Tue, Dec 22, 2009 at 17:59, Hannes Beinert <address@hidden> wrote:
>>
>> I certainly think it would be nice to have as an option. However,
>> honestly, I can't think of many advantages. If PPP could be installed
>> by the user without any sysadmin intervention or cooperation, such as
>> in a situation where one is just an individual user on a large system
>> with sysadmins "who can't be bothered", then this would be a really
>> useful option. However, to use PPP for login the system PAM stacks
>> need to be modified.
>
> Use case: "I'm a sysadmin at a small company. I have an natural adversion to
> anything centralized, and I don't want to have social responsibility if
> anything goes wrong. I don't need any more complexity in my system than
> absolutely necessary."
>
> Maybe it's a slim one, so feel free to ignore it.
Not at all, it's certainly not a point of view which should be
dismissed. The problem is that this same libertarian (:-) sysadmin
would still need to muddle around with his PAM configuration, which
would carry with it the burden of responsibility in the event that
something should go wrong.
However, you do make me wonder whether the PAM module could be
designed to have a "permissive" or "optional" mode. Namely, if the
user has no userland PPP configuration, the module would just return a
successful authentication. If there *is* a userland configuration,
then it would work normally. In this case, the sysadmin would be
making the policy decision that PPP is optional, and if a user chooses
to increase his/her account's security at the cost of convenience,
then so be it.
The other advantage of this system would be that it's even conceivable
that a distro could ship with this module installed in the default PAM
stacks. There would be no change in the default system behavior
unless a user takes some proactive steps.
I kinda like this option.
>> Well, Tomasz is the only dev, currently. I'm just the peanut gallery.
>> ;-)
>
> I second that! :)
There is no way I can hear that phrase without thinking of Motown.
Hannes.
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., (continued)
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM.,
Hannes Beinert <=
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22