From owner-freebsd-security Wed Mar 20 15:46:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id BC33037B417 for ; Wed, 20 Mar 2002 15:46:24 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g2KNkG164738; Wed, 20 Mar 2002 15:46:17 -0800 (PST) (envelope-from jan@caustic.org) Date: Wed, 20 Mar 2002 15:46:16 -0800 (PST) From: "f.johan.beisser" To: Andrew Heybey Cc: Chris Johnson , Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <85adt3uwxn.fsf@stiegl.niksun.com> Message-ID: <20020320153914.W152-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 20 Mar 2002, Andrew Heybey wrote: > I had thought about doing this (setting up ssh access with s/key, that > is), using one of the java applets (mindterm, or maybe > http://www.mud.de/se/jta/). This eliminates having to install putty > on whatever computer you are using: it just requires a java-capable > browser. Put the applet on a web server on my computer, then run it > from where ever I am. Has anyone had any success (or problems) with > any of the available ssh applets? i've had some success with all of them. mindterm in particular. while in Tokyo recently, i hit up various cybercafes and places with good network connectivity, and used a couple different java ssh clients with s/key. i have to say it worked very well, just about everywhere. in several cases java could be executed, but you could not download anything to the temp dirs that ended in .exe, or was directly executable.. but teh applet would download and work fairly consistently. > Are there any security pitfalls to doing this? You are susceptible to > man-in-the-middle attacks but that is pretty much a given if you do > not have the host's public key with you... the man in the middle attack can happen between you and the keyboard, for that matter, between you and the network layer on any given machine. it's just difficult. at some point, you have to stop being paranoid, and trust the machine and the environment. s/key and the like can only get you so far. when travelling, my solution has been to use S/Key to get to a gateway machine, and have private keys with passphrases to get from that machine to other locations inside (or outside) that network. while this isn't 100%, it's better than nothing. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message