From owner-freebsd-security Tue Mar 19 12:16:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from ophiuchus.kazrak.com (ophiuchus.kazrak.com [204.152.186.166]) by hub.freebsd.org (Postfix) with ESMTP id 9EF3137B43D for ; Tue, 19 Mar 2002 12:14:08 -0800 (PST) Received: by ophiuchus.kazrak.com (Postfix, from userid 1001) id 56B463478; Tue, 19 Mar 2002 12:14:08 -0800 (PST) Date: Tue, 19 Mar 2002 13:14:08 -0700 From: Brad Jones To: Chris Johnson Cc: security@freebsd.org Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020319131408.C324@ophiuchus.kazrak.com> References: <20020319144538.A42969@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020319144538.A42969@palomine.net>; from cjohnson@palomine.net on Tue, Mar 19, 2002 at 02:45:38PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 19, 2002 at 02:45:38PM -0500, Chris Johnson wrote: > This isn't exactly FreeBSD-security-related, but it's certainly > security-related, and I think it's likely to be of interest to many of the list > members. > > I spend a lot of time in hotels, and most of them have Internet centers with > Windows computers for the use of hotel guests. It's easy enough to download a > copy of PuTTY and hide it in the Windows directory so that I can make SSH > logins to my various remote servers. > > I worry, however, about trojans and keyboard sniffers and what-have-you > monitoring my keystrokes, so I don't feel particularly safe doing this. So I > thought I might stick a DSA key, encrypted with a passphrase used only for that > particular key, on a floppy disk, and use that to log in. Without the floppy > disk, the passphrase, if sniffed or recorded, would be useless. > > Question: if I plan on doing any work as root, would I be better off setting > PermitRootLogin to without-password and logging in directly as root, instead of > following the common practive of logging in as a regular user and then su-ing? > su-ing would require that I type the password, and that's what I'm trying to > avoid. > > Does anyone have any comments, or does anyone have a better idea? S/Key. It's built-in to FreeBSD, doesn't require any special hardware (just a bit of planning ahead), and lets you avoid reusable passwords. Set it up for your account, and set up 'sudo' so you can get to a root shell without typing a reusable password. Then print up 20-30 responses (or however many you think you'll need) and go...you enter the one-time password at the appropriate SSH prompt, and a keystroke sniffer never gets any useful information. (Sure, they got phrase #94...but that one's been used, and won't work anymore.) Recommended man pages: 'keyinit' will get you started, 'key' lets you create a file of keys that you can print and take with you. (If you have a palmtop, most of them have key-generation programs you can use instead.) 'skey' gives an overview. Don't leave home without it. BJ -- Brad Jones -- brad@kazrak.com "The line between good and evil, hope and despair, does not divide the world between 'us' and 'them'. It runs down the middle of each one of us." -- Robert Fulghum To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message