[H-GEN] Re: Blocking SSH exploits

Jason Parker-Burlingham jasonp at panix.com
Tue Aug 24 22:54:14 EDT 2004

Byron Ellacott <bje at apnic.net> writes:

> Anyone up to date on current thinking about the security of OTP
> systems? Did I waste my time?

My understanding is that the idea is sound and any brute-forcing of
the OTP algorithm would require users to simply change hashes or use
better passphrases.  I use OTP for most systems I care about---my
shell account, sudo access on various systems---that I need to be able
to access from anywhere, even if all I have is telnet.

> (As an aside, PAM doesn't actually allow you to provide different
> policies based on any sort of connection class; in the end I said that
> OTP auth was sufficient, but if that failed then the auth required
> both a connection from a list of known hosts as well as the correct
> password.)

What's the PAM magic required to check against a list of known hosts?

More information about the General mailing list