[H-GEN] Re: Blocking SSH exploits
Jason Parker-Burlingham
jasonp at panix.com
Tue Aug 24 22:54:14 EDT 2004
Byron Ellacott <bje at apnic.net> writes:
> Anyone up to date on current thinking about the security of OTP
> systems? Did I waste my time?
My understanding is that the idea is sound and any brute-forcing of
the OTP algorithm would require users to simply change hashes or use
better passphrases. I use OTP for most systems I care about---my
shell account, sudo access on various systems---that I need to be able
to access from anywhere, even if all I have is telnet.
> (As an aside, PAM doesn't actually allow you to provide different
> policies based on any sort of connection class; in the end I said that
> OTP auth was sufficient, but if that failed then the auth required
> both a connection from a list of known hosts as well as the correct
> password.)
What's the PAM magic required to check against a list of known hosts?
More information about the General
mailing list