Date: 20 Mar 2002 09:37:56 -0500 From: Andrew Heybey <ath@niksun.com> To: Chris Johnson <cjohnson@palomine.net> Cc: security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <85adt3uwxn.fsf@stiegl.niksun.com> In-Reply-To: <20020319152125.F43336@palomine.net> References: <20020319144538.A42969@palomine.net> <20020319131408.C324@ophiuchus.kazrak.com> <20020319152125.F43336@palomine.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, Mar 19, 2002 at 01:14:08PM -0700, Brad Jones wrote: > > On Tue, Mar 19, 2002 at 02:45:38PM -0500, Chris Johnson wrote: > > > I spend a lot of time in hotels, and most of them have Internet centers with > > > Windows computers for the use of hotel guests. It's easy enough to download a > > > copy of PuTTY and hide it in the Windows directory so that I can make SSH > > > logins to my various remote servers. > > > > S/Key. It's built-in to FreeBSD, doesn't require any special hardware (just > > a bit of planning ahead), and lets you avoid reusable passwords. > > > > Set it up for your account, and set up 'sudo' so you can get to a root shell > > without typing a reusable password. Then print up 20-30 responses (or > > however many you think you'll need) and go...you enter the one-time password > > at the appropriate SSH prompt, and a keystroke sniffer never gets any useful > > information. (Sure, they got phrase #94...but that one's been used, and > > won't work anymore.) > > > > Recommended man pages: 'keyinit' will get you started, 'key' lets you > > create a file of keys that you can print and take with you. (If you have > > a palmtop, most of them have key-generation programs you can use instead.) > > 'skey' gives an overview. > > Thanks very much for this; it seems to be just the ticket. I didn't know > anything about S/Key, other than it's the thing I recently turned off in my > sshd_config file because sshd was prompting me for things to which I didn't > know the answer. I had thought about doing this (setting up ssh access with s/key, that is), using one of the java applets (mindterm, or maybe http://www.mud.de/se/jta/). This eliminates having to install putty on whatever computer you are using: it just requires a java-capable browser. Put the applet on a web server on my computer, then run it from where ever I am. Has anyone had any success (or problems) with any of the available ssh applets? The only problem is until 4.5 I don't think you can allow s/key while prohibiting regular passwords. Are there any security pitfalls to doing this? You are susceptible to man-in-the-middle attacks but that is pretty much a given if you do not have the host's public key with you... andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?85adt3uwxn.fsf>