[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: One time passwords?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: One time passwords?
- From: "C. Bensend" <benny_(_at_)_bennyvision_(_dot_)_com>
- Date: Tue, 27 Sep 2005 22:19:36 -0500 (CDT)
> "Have to" - you keep using those words. I don't think it
> means what you think it means.
Yes, I know what it means, just as you do. 98% of the time,
"have to" is "want to" or "really want to." I'm using it
loosely. And in this situation, the networks I'm talking about
are my own, so the biggest risk to me is something crashing, and
a few friends do without email for a few days. So, "need" is
> If you don't trust the endpoint, no amount of one time passwords, or
> ssh will save you. You will get keylogged, or followed in, and owned.
> it's that simple. Why mess around with gymnastics like s/key from an
> untrusted host instead of solving the real threat to your security?
Keylogging I understand fine... What do you mean by followed in?
Honest question - I thought with a one-time challenge like skey,
you'd be fairly safe? The man page doesn't mention any such
risk, nor does the FAQ. I am completely uneducated on skey, as
I've simply never had a need for it before. So, feel free to break
out the cluebat and take a swing, Bob. :)
"Now, that next spring you find in your garage a creature that
looks like a cross-bred badger and anaconda. A badgerconda."