Firewall Wizards mailing list archives

Re: creating MS terminal server proxy with authentication

From: chuck <chuck () yerkes com>
Date: Thu, 6 May 1999 10:25:25 -0700

I don't know if terminal servers support SSH or the like yet, but one
option might be a Real Computer with a gang of serial ports on it.
I've used that at some smaller setups (and 8-16 port serial cards are
quite a bit cheaper that TSs).  It's fine for console access or things
where you don't need huge throughput.  Not sure I'd use it for 16
modems connecting all the time at 56k.

Other choices are VPN's to the network, but that gets more involved
that I care to do on a list email. (implications of trusting their
security, people telneting from the Internet to one side of the VPN
and being ignorant in general, etc).

If you have other reasons to use a TS, then make SURE you are using one
time passwords on everything.  I have a little DES challenge/response
device, S/Key works, and SecureID is adequate (and simple for most
people).  Ideally, and I'm not sure where Kerberos is on this, you
could use a OneTime password on the machine on the TS and get a
"ticket" so you don't have to type the password again.

But, as mentioned, cleartext passwords over the Internet are bad and
have been for a LONG LONG time. Robert Morris (the elder) wrote a fine
little paper on that in, what, 1985 or so?

chuck

Quoting Dippold, John (John.Dippold () fmr com):


      I would not advise clear text passwords over the net. Most implementations
      I have seen involve either encrypted sessions with certificates (or shared secrets
      or something) or they put the terminal server behind a host that has encryption(ssh)
      on a private network.

                              -jsd

-----Original Message-----
From:       Michael C. Ibarra [SMTP:ibarra () hawk com]
Sent:       Monday, May 03, 1999 9:12 PM
To: Geoff Nordli; Firewall-Wizards (E-mail)
Subject:    Re: creating MS terminal server proxy with authentication

At 08:32 AM 4/22/99 -0700, Geoff Nordli wrote:

I am using linux 2.0.36, squid, and ipfwadm as a firewall.
I am putting terminal server inside the firewall.
I want people to be able to come in from the Internet and access it.
I would also like them to be authenticated.
anyone know of possible solution?

thanks,
Geoff


    Don't know if you've solved this but most term servers will allow you to use
passwords on your ports, I know that the Annex supports this. Be advised that you
would be doing a non encrypted connection though.

-mike

http://www.hawk.com

Hawk Technologies, Inc

Current thread:

Re: creating MS terminal server proxy with authentication Michael C. Ibarra (May 04)
- RE: creating MS terminal server proxy with authentication Geoff Nordli (May 05)
- Re: creating MS terminal server proxy with authentication Kevin Bogac (May 05)
- <Possible follow-ups>
- RE: creating MS terminal server proxy with authentication Dippold, John (May 05)
  - Re: creating MS terminal server proxy with authentication chuck (May 07)