Re: VPN/ssh and foreign travel

[Gary Flynn <flynngn () JMU EDU>]

Gary Dobbins wrote:
> If you end up finding that you must accept plaintext telnet inbound due to the countries in which your folks may go, 
> you may wish to consider the following instead of permitting broad use of plaintext inbound:
>
> 1) setting up a bastion host that accepts telnet, and having them ssh from there to the real target host(s).
> 2) deploying a one-time password service (e.g. SafeWord, or SecurID) so that an intercepted session does not divulge a 
> [re-]usable password.
> 3) configuring the bastion telnet daemon to accept only one inbound shell per UserID concurrently.
>
> Of the two example OTP products above, I would favor SafeWord since its passwords are truly one-time and are not accepted even if 
> replayed promptly (the user must press the token's button again, to generate a new password if they need to reconnect).  
> RSA's OTP may have incorporated that feature since my experience with it, but if not its passwords may be at risk of re-use 
> during their ~1-minute validity window.

Another option is OPIE which is an open source software based
OTP system. We used it many years ago ( ~1997 ) but its still
around and usable AFAIK.

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature