From owner-freebsd-security Tue Mar 19 11:53:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from wiggum.isp.nwu.edu (wiggum.isp.nwu.edu [129.105.98.26]) by hub.freebsd.org (Postfix) with ESMTP id 4F28D37B404 for ; Tue, 19 Mar 2002 11:53:40 -0800 (PST) Received: from 8lugu (dhcp089069.res-hall.northwestern.edu [199.74.89.69]) by wiggum.isp.nwu.edu (8.11.6/8.11.0) with SMTP id g2JJrX431176; Tue, 19 Mar 2002 13:53:33 -0600 From: "Laurence Berland" To: "Chris Johnson" , Subject: RE: Safe SSH logins from public, untrusted Windows computers Date: Tue, 19 Mar 2002 13:50:10 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <20020319144538.A42969@palomine.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > This isn't exactly FreeBSD-security-related, but it's certainly > security-related, and I think it's likely to be of interest to > many of the list > members. > > I spend a lot of time in hotels, and most of them have Internet > centers with > Windows computers for the use of hotel guests. It's easy enough > to download a > copy of PuTTY and hide it in the Windows directory so that I can make SSH > logins to my various remote servers. > > I worry, however, about trojans and keyboard sniffers and what-have-you > monitoring my keystrokes, so I don't feel particularly safe doing > this. So I > thought I might stick a DSA key, encrypted with a passphrase used > only for that > particular key, on a floppy disk, and use that to log in. Without > the floppy > disk, the passphrase, if sniffed or recorded, would be useless. > > Question: if I plan on doing any work as root, would I be better > off setting > PermitRootLogin to without-password and logging in directly as > root, instead of > following the common practive of logging in as a regular user and > then su-ing? > su-ing would require that I type the password, and that's what > I'm trying to > avoid. sudo would avoid the password without leaving you open to people trying to hack in as a known username (root). My real suggestion would be skey. It's designed for precisely this sort of situation I think. No disks, no trust mechanisms, just a simple password that you write down on a card. The password is uesless after use, so no problems there... > > Does anyone have any comments, or does anyone have a better idea? > > Thanks. > > Chris Johnson > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message