From owner-freebsd-security Wed Mar 20 6:22:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtpzilla1.xs4all.nl (smtpzilla1.xs4all.nl [194.109.127.137]) by hub.freebsd.org (Postfix) with ESMTP id CA1AA37B41D for ; Wed, 20 Mar 2002 06:22:11 -0800 (PST) Received: from list1.xs4all.nl (list1.xs4all.nl [194.109.6.52]) by smtpzilla1.xs4all.nl (8.12.0/8.12.0) with ESMTP id g2KEMAhL002127 for ; Wed, 20 Mar 2002 15:22:10 +0100 (CET) Received: (from root@localhost) by list1.xs4all.nl (8.9.3/8.9.3) id PAA19998; Wed, 20 Mar 2002 15:22:09 +0100 (CET) From: rmeijer@xs4all.nl (Rob J Meijer) To: freebsd-security@freebsd.org X-Via: imploder /usr/local/lib/mail/news2mail/news2mail at list1.xs4all.nl Subject: Re: Safe SSH logins from public, untrusted Windows computers Date: 20 Mar 2002 14:22:02 GMT Organization: XS4ALL Internet BV Message-ID: In-Reply-To: <20020319131408.C324@ophiuchus.kazrak.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org brad@kazrak.COM (Brad Jones) writes: >On Tue, Mar 19, 2002 at 02:45:38PM -0500, Chris Johnson wrote: >> This isn't exactly FreeBSD-security-related, but it's certainly >> security-related, and I think it's likely to be of interest to many of the list >> members. >> >> I spend a lot of time in hotels, and most of them have Internet centers with >> Windows computers for the use of hotel guests. It's easy enough to download a >> copy of PuTTY and hide it in the Windows directory so that I can make SSH >> logins to my various remote servers. >> >> I worry, however, about trojans and keyboard sniffers and what-have-you >> monitoring my keystrokes, so I don't feel particularly safe doing this. So I >> thought I might stick a DSA key, encrypted with a passphrase used only for that >> particular key, on a floppy disk, and use that to log in. Without the floppy >> disk, the passphrase, if sniffed or recorded, would be useless. >> >> Question: if I plan on doing any work as root, would I be better off setting >> PermitRootLogin to without-password and logging in directly as root, instead of >> following the common practive of logging in as a regular user and then su-ing? >> su-ing would require that I type the password, and that's what I'm trying to >> avoid. >> >> Does anyone have any comments, or does anyone have a better idea? >S/Key. It's built-in to FreeBSD, doesn't require any special hardware (just >a bit of planning ahead), and lets you avoid reusable passwords. >Set it up for your account, and set up 'sudo' so you can get to a root shell >without typing a reusable password. Then print up 20-30 responses (or >however many you think you'll need) and go...you enter the one-time password >at the appropriate SSH prompt, and a keystroke sniffer never gets any useful >information. (Sure, they got phrase #94...but that one's been used, and >won't work anymore.) It won't need to work any'more' if the thing you are sudoing to is interactive, as the fact that a phrase has been typed after a sudo call to an interactive shell could propt the keyboard sniffer to go into key-insertion mode. As long as you do sudo calls to non interactive stuff you are fine, just don't do things like 'sudo bash' or even 'sudo vi'. Rob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message