Re: Anti-keylogger for SSH?

From: David Magda (dmagda+netgroups_at_ee.ryerson.ca)
Date: 05/14/03 

Date: 14 May 2003 07:54:35 -0400

Simon Tatham <anakin@pobox.com> writes:
> Joe Harrison <joe.harrison@teamware.antisp4m.co.uk> wrote:
> > What I need is a safe way to be able to make an SSH connection
> > from an arbitrary computer, for example internet cafe or borrowed
> > PC.
>
> In general, this is not possible. You _have_ to trust the arbitrary
> computer not to have been subtly compromised in some way.

Even if the OP could trust the OS, there are keyloggers that attach
between the keyboard and the computer.

> > for some reason to be logging keystrokes. Note, it is just
> > authentication I am worried about; it would not be possible to
> > prevent the bad PC from recording my session traffic but I could
> > live with that.
>
> If you're only concerned about your authentication details being
> stolen, some sort of one-time password scheme is probably the way
> to go. You already mention one solution of this type and complain
> that it's too expensive; well, at least NetBSD supports S/Key
> one-time passwords using nothing but free software, so there are
[...]

I think the S/Key (aka One-Time Password (OTP)) system would be the
best way to go about this. If the OP has a PDA, there are programs
that can calculate the value as needed. An alternative would be to
keep a list of the next $n$ (where $n$ > 0) passwords in your wallet. 

-- 
David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well 
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI