From owner-freebsd-isp  Thu Jan 17 23:34:13 2002
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2])
	by hub.freebsd.org (Postfix) with ESMTP id 5F3A237B425
	for <freebsd-isp@freebsd.org>; Thu, 17 Jan 2002 23:34:05 -0800 (PST)
Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.33 #2)
	id 16RTZ1-0003in-00
	for freebsd-isp@freebsd.org; Fri, 18 Jan 2002 09:35:51 +0200
Received: from shell.devco.net ([196.15.188.7])
	by mx1.dev.itouchnet.net with esmtp (Exim 3.33 #2)
	id 16RTYy-0003iF-00; Fri, 18 Jan 2002 09:35:48 +0200
Received: from bvi by shell.devco.net with local (Exim 3.33 #4)
	id 16RTcW-000EvA-00; Fri, 18 Jan 2002 09:39:28 +0200
Date: Fri, 18 Jan 2002 09:39:28 +0200
From: Barry Irwin <bvi@itouchlabs.com>
To: Mike Dresser <mdresser_b@windsormachine.com>
Cc: Jim Flowers <jflowers@cantoncommerce.com>,
	Andrew Houghton <aah@acm.org>, freebsd-isp@FreeBSD.ORG
Subject: Re: How to secure telnet?
Message-ID: <20020118093928.Y32746@itouchlabs.com>
References: <200201171849.g0HInAV01755@lily.ezo.net> <Pine.LNX.4.33.0201171400410.22240-100000@router.windsormachine.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.LNX.4.33.0201171400410.22240-100000@router.windsormachine.com>; from mdresser_b@windsormachine.com on Thu, Jan 17, 2002 at 02:07:02PM -0500
X-Checked: This message has been scanned for any virusses and unauthorized attachments.
X-iScan-ID: 14305-1011339351-57797@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

On Thu 2002-01-17 (14:07), Mike Dresser wrote:
> 
> One problem is if you're using telnet and then ssh, and type your
> passphrase or password in, if someone is sniffing the line at this point
> they now have access to the shell server using your account.
> 
> Additionally, I haven't seen anyone touch on the fact the machine the user
> connects from may be compromised already, giving an attacker your
> passwords/passphrases/email to your loved ones from a keylogger or
> similar.

To go to the paranoid side......
SSK keys, although this requires the user carrying a disk arround, not all
cyber cafes  or net access consoles allow you to stick disks in. 

How about using S/Key  Can either use a java OTP calculator, or get the user
a hardware token.

I think in the end you need to weigh up the risks between providing access,
and what your risk of being hacked is.

Barry


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message