From owner-freebsd-security Tue Mar 19 12:26:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [216.135.64.135]) by hub.freebsd.org (Postfix) with SMTP id 4267B37B720 for ; Tue, 19 Mar 2002 12:21:26 -0800 (PST) Received: (qmail 44460 invoked by uid 1000); 19 Mar 2002 20:21:25 -0000 Date: Tue, 19 Mar 2002 15:21:25 -0500 From: Chris Johnson To: security@freebsd.org Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020319152125.F43336@palomine.net> References: <20020319144538.A42969@palomine.net> <20020319131408.C324@ophiuchus.kazrak.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8X7/QrJGcKSMr1RN" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020319131408.C324@ophiuchus.kazrak.com>; from brad@kazrak.com on Tue, Mar 19, 2002 at 01:14:08PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8X7/QrJGcKSMr1RN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 19, 2002 at 01:14:08PM -0700, Brad Jones wrote: > On Tue, Mar 19, 2002 at 02:45:38PM -0500, Chris Johnson wrote: > > I spend a lot of time in hotels, and most of them have Internet centers= with > > Windows computers for the use of hotel guests. It's easy enough to down= load a > > copy of PuTTY and hide it in the Windows directory so that I can make S= SH > > logins to my various remote servers. >=20 > S/Key. It's built-in to FreeBSD, doesn't require any special hardware (j= ust > a bit of planning ahead), and lets you avoid reusable passwords. >=20 > Set it up for your account, and set up 'sudo' so you can get to a root sh= ell > without typing a reusable password. Then print up 20-30 responses (or > however many you think you'll need) and go...you enter the one-time passw= ord > at the appropriate SSH prompt, and a keystroke sniffer never gets any use= ful > information. (Sure, they got phrase #94...but that one's been used, and > won't work anymore.) >=20 > Recommended man pages: 'keyinit' will get you started, 'key' lets you > create a file of keys that you can print and take with you. (If you have > a palmtop, most of them have key-generation programs you can use instead.) > 'skey' gives an overview. Thanks very much for this; it seems to be just the ticket. I didn't know anything about S/Key, other than it's the thing I recently turned off in my sshd_config file because sshd was prompting me for things to which I didn't know the answer. Thanks for all the responses. Chris --8X7/QrJGcKSMr1RN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8l53EyeUEMvtGLWERAnj7AJ0dk/ACXlmXoIuuhBQtpdW+lXCNTwCeJcfa q18WIaY89hd21wMX+15IaAQ= =L3Nt -----END PGP SIGNATURE----- --8X7/QrJGcKSMr1RN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message