On Sun, May 18, 2008 at 12:56:29PM +0000, Stuart Henderson wrote:
> On 2008-05-18, Mark Shroyer <[EMAIL PROTECTED]> wrote:
> > I've set up a nice secondary authentication mechanism on a Linux server.
> > I use this when I must shell in from, e.g., a computer lab, and I don't
> > have an authorized SSH private key on my workstation. To login without
> > a private key, I must:
> >
> > 1) Enter my account's current S/Key one-time password
> >
> > and
> >
> > 2) Enter my Unix password
> >
> > in sequence.
>
> In what way does typing your password in to an untrusted machine
> improve security?
1) I didn't say untrusted machine. I know these computers' admins and
fully trust them.
2) If it is impossible to log into the machine remotely with only its
password, then when one actually thinks about it for just a moment
and gets over the knee-jerk "OMG you're giving them your
password!!1!" reaction, one realizes that this scheme *does* in fact
increase security compared to S/Key alone, even if I were to use it
from an untrusted machine.
Now, I don't want this thread to turn into a long and boring critique of
my authentication device. I just want to know, for better or for worse,
how one would go about setting it up on OpenBSD without PAM. Any ideas?
--
Mark Shroyer
http://markshroyer.com/contact/
