From owner-freebsd-security Wed Mar 20 6:38:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from arjun.niksun.com (gwnew.niksun.com [63.148.27.34]) by hub.freebsd.org (Postfix) with ESMTP id E766437B447 for ; Wed, 20 Mar 2002 06:37:56 -0800 (PST) Received: from stiegl.niksun.com (stiegl.niksun.com [10.0.0.44]) by arjun.niksun.com (8.9.3/8.9.3) with ESMTP id JAA51071; Wed, 20 Mar 2002 09:37:56 -0500 (EST) (envelope-from ath@stiegl.niksun.com) Received: (from ath@localhost) by stiegl.niksun.com (8.11.1/8.11.6) id g2KEbup64151; Wed, 20 Mar 2002 09:37:56 -0500 (EST) (envelope-from ath@stiegl.niksun.com) To: Chris Johnson Cc: security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers References: <20020319144538.A42969@palomine.net> <20020319131408.C324@ophiuchus.kazrak.com> <20020319152125.F43336@palomine.net> From: Andrew Heybey Date: 20 Mar 2002 09:37:56 -0500 In-Reply-To: <20020319152125.F43336@palomine.net> Message-ID: <85adt3uwxn.fsf@stiegl.niksun.com> Lines: 44 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Tue, Mar 19, 2002 at 01:14:08PM -0700, Brad Jones wrote: > > On Tue, Mar 19, 2002 at 02:45:38PM -0500, Chris Johnson wrote: > > > I spend a lot of time in hotels, and most of them have Internet centers with > > > Windows computers for the use of hotel guests. It's easy enough to download a > > > copy of PuTTY and hide it in the Windows directory so that I can make SSH > > > logins to my various remote servers. > > > > S/Key. It's built-in to FreeBSD, doesn't require any special hardware (just > > a bit of planning ahead), and lets you avoid reusable passwords. > > > > Set it up for your account, and set up 'sudo' so you can get to a root shell > > without typing a reusable password. Then print up 20-30 responses (or > > however many you think you'll need) and go...you enter the one-time password > > at the appropriate SSH prompt, and a keystroke sniffer never gets any useful > > information. (Sure, they got phrase #94...but that one's been used, and > > won't work anymore.) > > > > Recommended man pages: 'keyinit' will get you started, 'key' lets you > > create a file of keys that you can print and take with you. (If you have > > a palmtop, most of them have key-generation programs you can use instead.) > > 'skey' gives an overview. > > Thanks very much for this; it seems to be just the ticket. I didn't know > anything about S/Key, other than it's the thing I recently turned off in my > sshd_config file because sshd was prompting me for things to which I didn't > know the answer. I had thought about doing this (setting up ssh access with s/key, that is), using one of the java applets (mindterm, or maybe http://www.mud.de/se/jta/). This eliminates having to install putty on whatever computer you are using: it just requires a java-capable browser. Put the applet on a web server on my computer, then run it from where ever I am. Has anyone had any success (or problems) with any of the available ssh applets? The only problem is until 4.5 I don't think you can allow s/key while prohibiting regular passwords. Are there any security pitfalls to doing this? You are susceptible to man-in-the-middle attacks but that is pretty much a given if you do not have the host's public key with you... andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message