From owner-freebsd-security Tue Mar 19 11:45:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [216.135.64.135]) by hub.freebsd.org (Postfix) with SMTP id 7D39737B404 for ; Tue, 19 Mar 2002 11:45:39 -0800 (PST) Received: (qmail 43334 invoked by uid 1000); 19 Mar 2002 19:45:38 -0000 Date: Tue, 19 Mar 2002 14:45:38 -0500 From: Chris Johnson To: security@freebsd.org Subject: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020319144538.A42969@palomine.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline This isn't exactly FreeBSD-security-related, but it's certainly security-related, and I think it's likely to be of interest to many of the list members. I spend a lot of time in hotels, and most of them have Internet centers with Windows computers for the use of hotel guests. It's easy enough to download a copy of PuTTY and hide it in the Windows directory so that I can make SSH logins to my various remote servers. I worry, however, about trojans and keyboard sniffers and what-have-you monitoring my keystrokes, so I don't feel particularly safe doing this. So I thought I might stick a DSA key, encrypted with a passphrase used only for that particular key, on a floppy disk, and use that to log in. Without the floppy disk, the passphrase, if sniffed or recorded, would be useless. Question: if I plan on doing any work as root, would I be better off setting PermitRootLogin to without-password and logging in directly as root, instead of following the common practive of logging in as a regular user and then su-ing? su-ing would require that I type the password, and that's what I'm trying to avoid. Does anyone have any comments, or does anyone have a better idea? Thanks. Chris Johnson --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8l5VhyeUEMvtGLWERAjtiAKDFS46unMYQMsXtaFKmvqH6AhAMNACeJEi/ BbyiXKX5+9DhPwJSugoIi0Q= =sIyu -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message