Re: VPN/ssh and foreign travel

[Josh Drummond <jdrummon () UCI EDU>]

You can't replay RSA SecurID tokencodes either, even within the "1
minute" window.

Gary Dobbins wrote:
> If you end up finding that you must accept plaintext telnet inbound due to the countries in which your folks may go, 
> you may wish to consider the following instead of permitting broad use of plaintext inbound:
>
> 1) setting up a bastion host that accepts telnet, and having them ssh from there to the real target host(s).
> 2) deploying a one-time password service (e.g. SafeWord, or SecurID) so that an intercepted session does not divulge a 
> [re-]usable password.
> 3) configuring the bastion telnet daemon to accept only one inbound shell per UserID concurrently.
>
> Of the two example OTP products above, I would favor SafeWord since its passwords are truly one-time and are not accepted even if 
> replayed promptly (the user must press the token's button again, to generate a new password if they need to reconnect).  
> RSA's OTP may have incorporated that feature since my experience with it, but if not its passwords may be at risk of re-use 
> during their ~1-minute validity window.
>
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of jeff murphy
> > Sent: Wednesday, November 19, 2008 12:20 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] VPN/ssh and foreign travel
> >
> > We're trying to eliminate use of cleartext password transmission
> > for
> > access to university systems. One point of discussion involves
> > dealing
> > with US export controls. What I'd like to hear from you (sec@educ)
> > is
> > your thoughts on whether it's practical to require encrypted access
> > given the export issue?
> >
> > Thx
> >
> > Jeff