Date: Sat, 25 Sep 1999 14:13:08 -0700 From: The Mad Scientist <madscientist@thegrid.net> To: freebsd-security@freebsd.org Subject: Re: Secure gateway to intranet Message-ID: <4.1.19990925140503.009625c0@mail.thegrid.net>
next in thread | raw e-mail | index | archive | help
At 02:58 PM 9/25/99 -0400, you wrote: >The Mad Scientist wrote, >> All, >> I am looking for a secure way to log into a machine on an intranet. >> Here's what I have in mind. >> A user ssh-es to a machine on the boarder network. Her shell is a >> script/program that asks for a name of an internal machine, then ssh-es to >> that machine after an authentication. This way, I could only open the >> border and internal routers up to that machine and a proxy server and I >> could have a log of who goes where. > >All seems quite reasonable. > >> I'd also like to be able to set up >> some kind of acl in the proggie/script that dictates which users can go to >> which machines. > >Hmmm... Is there a reason not to just let ssh take care of this for >you? That is, have the hosts on the other end only accept certain >users? I'd like to have a "landing pad" for centralization of logging and security. I also would like to be able to let users come from anywhere on the Internet, so setting up an allowed list would be a big pain. ^_^ The other machines on my public net and intranet would only allow logins (ssh) from the landing pad. (Intranet isn't the word for it. More like a private net or secure net.) >> For authentication, a username/pass will do for now, but >> later I'd like to expand it to some kind of one time card. Some kind of >> transparent secure file transfer would also be great. > >Why not use the ssh-agent forwarding to do this? Because I'm not familiar enough with ssh, yet. But I will be. >> Now, here's what I am interested in knowing. What would be a simple and >> secure way to implement this. (I was thinking of perl) What sort of >> things should I be wary of when setting this up? Is this even >> advisable? > >It would not be too difficult to implement this. Perl? Heck, I'd just >use a shell script. There really are not enough details to know what >you should be wary of: How many users? Does each have an account on >the gateway (or do you want them to use some common access acount)? >Are the users "trusted" (if they are, heck, give 'em a shell to type >in the 'ssh internal-host' on their own)? If not, just how closely do >you need to watch these people? I'd like to have any number of untrusted users. Ideally, I'd give everyone an one-time-pad and have them log in to the landing pad with that. There would be further authentication depending on which host they wanted to log into from the landing pad. I want to be able to watch my users very closely. (But maintain a balance between user's anonymonitity and logging their activity, but that's for another mail to freebsd-philosophy.) >Is it advisable? Well, if the internal network is NATed, this is >advisable since it is about the only way to get in there. If it is >not NATed, this may be more work (and uses some more resources) than >just poking some holes in a firewall to let these people in to certain >machines. But still, if these people do not have fixed IPs, then the >firewall might need to be opened a bit wider than you are comfortable >with to let them in. Nat-ing the internal would add another layer of security, so I will probably be doing just that. I guess what it boils down to is this: I would like to give any number of untrusted users access to a limited number of machines and a small number of operations on those machines. Sort of like a very restrictive shell server. One of the things I'd like to allow is file transfer between my users' machines and a server on the private net without having to require the user's to set up any kind of special servers/software on their own machines. My admins will also be using the landing pad to log into the public-net servers (mail, www, proxy, etc) to take care of them. >-- >Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990925140503.009625c0>