Re: Safe SSH logins from public, untrusted Windows computers
From: Brad Jones (brad@kazrak.com)
Date: 03/19/02
- Next message: Chris Johnson: "Re: Safe SSH logins from public, untrusted Windows computers"
- Previous message: Richard Ward: "Re: Safe SSH logins from public, untrusted Windows computers"
- In reply to: Chris Johnson: "Safe SSH logins from public, untrusted Windows computers"
- Next in thread: Chris Johnson: "Re: Safe SSH logins from public, untrusted Windows computers"
- Reply: Chris Johnson: "Re: Safe SSH logins from public, untrusted Windows computers"
- Reply: Rob J Meijer: "Re: Safe SSH logins from public, untrusted Windows computers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Mar 2002 13:14:08 -0700 From: Brad Jones <brad@kazrak.com> To: Chris Johnson <cjohnson@palomine.net>
On Tue, Mar 19, 2002 at 02:45:38PM -0500, Chris Johnson wrote:
> This isn't exactly FreeBSD-security-related, but it's certainly
> security-related, and I think it's likely to be of interest to many of the list
> members.
>
> I spend a lot of time in hotels, and most of them have Internet centers with
> Windows computers for the use of hotel guests. It's easy enough to download a
> copy of PuTTY and hide it in the Windows directory so that I can make SSH
> logins to my various remote servers.
>
> I worry, however, about trojans and keyboard sniffers and what-have-you
> monitoring my keystrokes, so I don't feel particularly safe doing this. So I
> thought I might stick a DSA key, encrypted with a passphrase used only for that
> particular key, on a floppy disk, and use that to log in. Without the floppy
> disk, the passphrase, if sniffed or recorded, would be useless.
>
> Question: if I plan on doing any work as root, would I be better off setting
> PermitRootLogin to without-password and logging in directly as root, instead of
> following the common practive of logging in as a regular user and then su-ing?
> su-ing would require that I type the password, and that's what I'm trying to
> avoid.
>
> Does anyone have any comments, or does anyone have a better idea?
S/Key. It's built-in to FreeBSD, doesn't require any special hardware (just
a bit of planning ahead), and lets you avoid reusable passwords.
Set it up for your account, and set up 'sudo' so you can get to a root shell
without typing a reusable password. Then print up 20-30 responses (or
however many you think you'll need) and go...you enter the one-time password
at the appropriate SSH prompt, and a keystroke sniffer never gets any useful
information. (Sure, they got phrase #94...but that one's been used, and
won't work anymore.)
Recommended man pages: 'keyinit' will get you started, 'key' lets you
create a file of keys that you can print and take with you. (If you have
a palmtop, most of them have key-generation programs you can use instead.)
'skey' gives an overview.
Don't leave home without it.
BJ
-- Brad Jones -- brad@kazrak.com "The line between good and evil, hope and despair, does not divide the world between 'us' and 'them'. It runs down the middle of each one of us." -- Robert Fulghum To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Chris Johnson: "Re: Safe SSH logins from public, untrusted Windows computers"
- Previous message: Richard Ward: "Re: Safe SSH logins from public, untrusted Windows computers"
- In reply to: Chris Johnson: "Safe SSH logins from public, untrusted Windows computers"
- Next in thread: Chris Johnson: "Re: Safe SSH logins from public, untrusted Windows computers"
- Reply: Chris Johnson: "Re: Safe SSH logins from public, untrusted Windows computers"
- Reply: Rob J Meijer: "Re: Safe SSH logins from public, untrusted Windows computers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
