Date: Sat, 25 Sep 1999 13:33:28 -0700 From: Dean <dean@thegrid.net> To: freebsd-security@freebsd.org Subject: Re: Secure gateway to intranet Message-ID: <4.1.19990925131428.0098f200@mail.thegrid.net> In-Reply-To: <199909251858.OAA39078@cc942873-a.ewndsr1.nj.home.com> References: <4.1.19990923205643.0095ce70@mail.thegrid.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:58 PM 9/25/99 -0400, you wrote: >The Mad Scientist wrote, >> All, >> I am looking for a secure way to log into a machine on an intranet. >> Here's what I have in mind. >> A user ssh-es to a machine on the boarder network. Her shell is a >> script/program that asks for a name of an internal machine, then ssh-es to >> that machine after an authentication. This way, I could only open the >> border and internal routers up to that machine and a proxy server and I >> could have a log of who goes where. > >All seems quite reasonable. > >> I'd also like to be able to set up >> some kind of acl in the proggie/script that dictates which users can go to >> which machines. > >Hmmm... Is there a reason not to just let ssh take care of this for >you? That is, have the hosts on the other end only accept certain >users? I'd like to have a "landing pad" for centralization of logging and security. I also would like to be able to let users come from anywhere on the Internet, so setting up an allowed list would be a big pain. ^_^ The other machines on my public net and intranet would only allow logins (ssh) from the landing pad. >> For authentication, a username/pass will do for now, but >> later I'd like to expand it to some kind of one time card. Some kind of >> transparent secure file transfer would also be great. > >Why not use the ssh-agent forwarding to do this? Because I'm not familiar enough with ssh, yet. But I will be. >> Now, here's what I am interested in knowing. What would be a simple and >> secure way to implement this. (I was thinking of perl) What sort of >> things should I be wary of when setting this up? Is this even >> advisable? > >It would not be too difficult to implement this. Perl? Heck, I'd just >use a shell script. There really are not enough details to know what >you should be wary of: How many users? Does each have an account on >the gateway (or do you want them to use some common access acount)? >Are the users "trusted" (if they are, heck, give 'em a shell to type >in the 'ssh internal-host' on their own)? If not, just how closely do >you need to watch these people? I'd like to have any number of untrusted users. Ideally, I'd give everyone an one-time-pad and have them log in to the landing pad with that. There would be further authentication depending on which host they wanted to log into from the landing pad. I want to be able to watch my users very closely. (But maintain a balance between user's anonymonitity and logging their activity, but that's for another mail to freebsd-philosophy) >Is it advisable? Well, if the internal network is NATed, this is >advisable since it is about the only way to get in there. If it is >not NATed, this may be more work (and uses some more resources) than >just poking some holes in a firewall to let these people in to certain >machines. But still, if these people do not have fixed IPs, then the >firewall might need to be opened a bit wider than you are comfortable >with to let them in. >-- >Crist J. Clark cjclark@home.com ------------------------------------------------------------------------------- Staccato signals of constant information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990925131428.0098f200>