Tim Freeman <[EMAIL PROTECTED]> writes: > At > http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.html > it says the Debian machines were compromised by password sniffing from > other compromised machines. If you use one time passwords instead, > then password sniffing doesn't yield useful information and the damage > from this sort of failure would be more limited. > > As you probably know, the packages for that are opie-server and > libpam-opie on the server, and opie-client on the client. You'd also > have to edit /etc/pam.d/{login,ssh} to mention libpam-opie, at least. > Finding and installing a skey calculator on a personal organizer is > probably better than using opie-client on a machine that's connected > to the internet and therefore conceivably compromised. To discourage > people from typing into a potentially compromised machine, you certainly > don't want to have opie-client installed on any central server. > > I just started using opie on fungible.com, and it seems to work well > so far. > > Is there some issue with opie that would cause problems when using it > on the Debian servers?
I haven't look at OPIE for ages, but when using it with ssh, doesn't it force you to turn privilege separation off in /etc/ssh/sshd_config? Maybe the ssh people fixed this issue since. Phil.
