silly password restrictions was:Re: [clug] secure remote access method

[Daniel Pittman]

jm <jeffm at ghostgun.com> writes:

> Thanks for forking the subject. This is really a separate line of thought on
> a related topic.
>
> I think the best solution is fast becoming one time passwords (OTP).

You want the OPIE or OTPW PAM modules, plus associated ephemera, which give
you a secure and well-tested one-time password system integrated nicely to
PAM.

That should work for anything that can display PAM messages to the client, but
it can also stack with other PAM modules for ... less capable password based
authentication.

> To date this hasn't been an option for most due to the cost of the
> associated hardware.

Those two are hardware-free, thankfully. :)

> Things such as yubico help.

I don't know; recently it seems that serious security vulnerabilities like
local reconfiguration of the key without authentication or authorization are
possible...

> A better way may lie in the use of software on phones. Phones that support
> third party software and which are open to easy development are becoming
> more common (eg, iphone, android, etc) among the target user population.

Even without that, there were Java clients available for at least OPIE and
S/KEY, and probably for OTPW as well.  This capability has been present, if
not nice, for a long time.

You could theoretically use a keyed sequence generator ala hardware tokens as
well, but this doesn't seem to have come popular yet.

[...]

> Anyone know of any published algorithms, papers, existing software?

There are quite a lot of one-time password and zero-knowledge proof protocols
available, addressing this problem space quite effectively.  You shouldn't
have any trouble finding solid, proved and peer-reviewed options without
having to do any design yourself.

Regards,
        Daniel