From owner-freebsd-security Tue Mar 19 17:52:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 04C4D37B404 for ; Tue, 19 Mar 2002 17:52:13 -0800 (PST) Received: (qmail 36331 invoked by uid 1000); 20 Mar 2002 01:52:06 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Mar 2002 01:52:06 -0000 Date: Tue, 19 Mar 2002 17:52:01 -0800 (PST) From: Jason Stone X-X-Sender: To: Chris Johnson Cc: Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <20020319144538.A42969@palomine.net> Message-ID: <20020319171807.O60767-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I spend a lot of time in hotels, and most of them have Internet > centers with Windows computers for the use of hotel guests. It's easy > enough to download a copy of PuTTY and hide it in the Windows > directory so that I can make SSH logins to my various remote servers. You don't have to do this - you can use the appgate mindterm java ssh client: http://support.appgate.com/mindterm/demo/index.php > I worry, however, about trojans and keyboard sniffers and what-have-you > monitoring my keystrokes, so I don't feel particularly safe doing this. As well you should not. Machines installed in places like these have are often very poorly maintained and are very vulnerable to both local attacks from the console and to worms/etc from the net. A solution that I've found to be somewhat viable in these cases is to carry rescue media on you and boot that. Usually machines in cyber-cafes use ethernet and dhcp, and so you can surreptitiously boot a picobsd floppy, grab dhcp, and ssh out - when you're done, reboot back into windows and go home. You're still vulnerable in this case to hardware keyboard sniffers, but that's probablly not a real worry for most people (though if you like to be paranoid, tinfoil-hat linux has some cool support for you: http://tinfoilhat.shmoo.com/). The ultimate evolution of this is something like the linuxcare bootable businesscard (http://lbt.linuxcare.com) - a full-on linux install with X, mozilla, ssh, etc, on a business-card sized CD which you can carry in your wallet. If anyone is interested in doing something like this for FreeBSD, contact me - I'm very interested in getting a project like this going. Finally, if you don't want to carry an extra card in your wallet, you don't feel good about surreptitiously rebooting machines, or the machines in your hotel/cybercafe are too hard to use without windows (weird network drivers, bios locked and configured to not boot external media, etc), at least use opie/skey one-time passwords. You just run opiepasswd on yourself on the server, make sure you're running a recent openssh, and then either print out ten or twenty opiekeys (to a local printer!) with /usr/ports/security/keyprint, or get a palm pilot and one of the many free opie calculators for it. If you use opie, you're still vulnerable to an active attack (the controller of the windows box waits until you've logged in, and then ceases the connection, installs a backdoor, etc), but you'll probablly be pretty resistant to normal keyboard sniffing and trojan clients. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8l+tGswXMWWtptckRApRsAKDOpDlQNIwGfl0le9ep6xLpYSegjQCdEZWy eSdLduhn6uWVEE6HcNfTC4U= =PYOU -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message