[lug] Is anon ftp upload really bad?

[Bear Giles]

> Has anyone else played with the S/Key OTP 
> stuff? 

CS/CU used to require S/Key passwords.  I don't know if they
still do.  I just remember being really and truly pissed when they
changed this policy since it was poorly communicated to nontraditional
grad students who rarely needed to access CS systems.

Anyway, you can configure SSH to require S/Key OTPs.  I think there
are also PAM modules, so you could use them in any application that
supports PAM.  While S/Key and other OTP systems are most often used
on insecure networks, they can also be used in the most sensitive
environments where even encrypted passwords aren't acceptable.

As an aside, Kerberos doesn't pass passwords either.  The only time
the password will ever cross the network is when you're changing it.
The rest of the time the password is used to encrypt a random message,
and the server (which has the password in its database) verifies that
the correct encryption key was used.

Bear