Educause Security Discussion mailing list archives
Re: VPN/ssh and foreign travel
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 19 Nov 2008 13:38:13 -0500
Gary Dobbins wrote:
If you end up finding that you must accept plaintext telnet inbound due to the countries in which your folks may go, you may wish to consider the following instead of permitting broad use of plaintext inbound: 1) setting up a bastion host that accepts telnet, and having them ssh from there to the real target host(s). 2) deploying a one-time password service (e.g. SafeWord, or SecurID) so that an intercepted session does not divulge a [re-]usable password. 3) configuring the bastion telnet daemon to accept only one inbound shell per UserID concurrently. Of the two example OTP products above, I would favor SafeWord since its passwords are truly one-time and are not accepted even if replayed promptly (the user must press the token's button again, to generate a new password if they need to reconnect). RSA's OTP may have incorporated that feature since my experience with it, but if not its passwords may be at risk of re-use during their ~1-minute validity window.
Another option is OPIE which is an open source software based OTP system. We used it many years ago ( ~1997 ) but its still around and usable AFAIK. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- VPN/ssh and foreign travel jeff murphy (Nov 19)
- <Possible follow-ups>
- Re: VPN/ssh and foreign travel Brad Judy (Nov 19)
- Re: VPN/ssh and foreign travel Gary Dobbins (Nov 19)
- Re: VPN/ssh and foreign travel Josh Drummond (Nov 19)
- Re: VPN/ssh and foreign travel Gary Flynn (Nov 19)
- Re: VPN/ssh and foreign travel Rowe, Ken (Nov 19)
- Re: VPN/ssh and foreign travel Brad Judy (Nov 19)