Bug 237270
| Summary: | pam_opieaccess does not support IPv6, or documentation is lacking | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Victor Sudakov <vas> |
| Component: | bin | Assignee: | Dag-Erling Smørgrav <des> |
| Status: | Closed Overcome By Events | ||
| Severity: | Affects Only Me | CC: | adamkrisusa, delphij, des, markm, vas, virtuallark |
| Priority: | --- | Keywords: | ipv6, needs-qa |
| Version: | 11.2-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Victor Sudakov
2019-04-14 02:13:40 UTC
If someone provided me with an example how to add an IPv6 line to /etc/opieaccess, I would be happy to test if IPv6 support is working. I don't know however how to present an IPv6 network(s) in the "address netmask" format that is required there. How can I up this one? It's really annoying not to be able to skip one-time passwords when logging in from a trusted IPv6-only host. It looks like all the way from contrib/opie to PAM there is no IPv6 support currently. I have no idea if upstream's (NRL) opie project still exists. It's likely someone has to sit down and fix/write the code. OPIE is not quite up to 2019 standards of security or usability. I would recommend using Google Authenticator or Yubikey / U2F instead. (In reply to Dag-Erling Smørgrav from comment #4) > I would recommend using Google Authenticator or Yubikey / U2F instead. Are they integrated into FreeBSD or do you recommend integrating them? Suppose we switch to them, shall I still be able to use a simple sheet of paper with pre-printed one-time keys on it, as I've done for years? (In reply to Victor Sudakov from comment #5) > Are they integrated into FreeBSD or do you recommend integrating them? They're in ports. > Suppose we switch to them, shall I still be able to use a simple sheet of > paper with pre-printed one-time keys on it, as I've done for years? No, but you'll have something that's actually secure. (In reply to Dag-Erling Smørgrav from comment #6) > No, but you'll have something that's actually secure. If I understand correctly, one depends on some Google app for smartphone, and the other on some hardware device you need to purchase. These are not something I'd rather use in a freeware OS for PC. The OPIE system may be less secure (why? it's simple enough. Because of md5 only?) but at least it's self-sufficient. Why would I trust third party products to authenticate me to my own FreeBSD box? Google Authenticator is not tied to Google. It is an open standard called OATH (RFC 4226 and 6238). It is commonly referred to as Google Authenticator because they were the among the first to use make widespread use of it and to release an open source implementation, but you can get hardware tokens that implement RFC 6238 (very commonly used for Internet banking; I have one in my pocket right now), or you can use a wide variety of free software including FreeOTP, which is a Red Hat-sponsored fork of the old Google Authenticator app. On the server side, you can use the security/pam_google_authenticator port, which is 100% open source. (In reply to Dag-Erling Smørgrav from comment #8) > you can use the security/pam_google_authenticator port It turns out that this port has many dependencies (python and friends) which I find annoying. Build-time, perhaps. Its only run-time dependency is libqrencode. (In reply to Dag-Erling Smørgrav from comment #10) > Build-time, perhaps. Its only run-time dependency is libqrencode. png also (In reply to Dag-Erling Smørgrav from comment #10) Are you sure those 6-digit codes are a secure replacement to OTP, when used by themselves (not as an additional 2FA), but as the only password on untrusted terminals? I configured pam_google_authenticator.so as "sufficient" for auth, just like pam_opie.so. PS you were right, no Python required at runtime. Sorry for my mistake. The OATH HOTP / TOTP algorithm is stronger than OPIE. If you've been using OPIE as your only password, which you shouldn't, you'll be no worse off using OATH instead. But I would urge you to also implement some sort of rate limiting. You can use blacklistd(8) for services that support it (including sshd), or security/py-fail2ban for those that don't. (In reply to Dag-Erling Smørgrav from comment #13) > If you've been using OPIE as your only password, which you shouldn't Who says I shouldn't? Isn't it configured as "sufficient" in the stock /etc/pam.d/sshd ? (In reply to Victor Sudakov from comment #14) > Isn't it configured as "sufficient" in the stock /etc/pam.d/sshd ? Yes, for historical reasons: it was considered an adequate single factor 20+ years ago, so it was grandfathered in when we moved to PAM, and this decision was never revisited. But it is very weak, and I doubt there are many people still using it. I considered adding support for a more modern algorithm, but it would require a much larger dictionary and / or much longer phrases. I should have removed it a long time ago; I will probably do so before 13.0. (In reply to Dag-Erling Smørgrav from comment #15) > But it is very weak, and I doubt there are many people still using it. OPIE being the only OTP solution not depending on a third-party hardware gadget (even a mobile phone), and being mentioned in the Handbook, I'm afraid quite a few people may be still using it. > I should have removed it a long time ago; I will probably do so before 13.0. If you do, please don't forget to update the "13.3. One-time Passwords" chapter of the FreeBSD Handbook to some other OTP system. (In reply to Victor Sudakov from comment #0) I would like to add IPv6 support and update related documentation. If OPIE will be removed from base system in feature release(s), then I would like to create FreeBSD port. (In reply to Dag-Erling Smørgrav from comment #6) I never patched base system yet, hope it would be included in base or should I work on port straight from beginning? OPIE is removed from base. MARKED AS SPAM |
