Home page logo

educause logo Educause Security Discussion mailing list archives

Re: VPN/ssh and foreign travel
From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 19 Nov 2008 12:48:03 -0500

If you end up finding that you must accept plaintext telnet inbound due to the countries in which your folks may go, 
you may wish to consider the following instead of permitting broad use of plaintext inbound:

1) setting up a bastion host that accepts telnet, and having them ssh from there to the real target host(s).
2) deploying a one-time password service (e.g. SafeWord, or SecurID) so that an intercepted session does not divulge a 
[re-]usable password.
3) configuring the bastion telnet daemon to accept only one inbound shell per UserID concurrently.

Of the two example OTP products above, I would favor SafeWord since its passwords are truly one-time and are not 
accepted even if replayed promptly (the user must press the token's button again, to generate a new password if they 
need to reconnect).  RSA's OTP may have incorporated that feature since my experience with it, but if not its passwords 
may be at risk of re-use during their ~1-minute validity window.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of jeff murphy
Sent: Wednesday, November 19, 2008 12:20 PM
Subject: [SECURITY] VPN/ssh and foreign travel

We're trying to eliminate use of cleartext password transmission
access to university systems. One point of discussion involves
with US export controls. What I'd like to hear from you (sec () educ)
your thoughts on whether it's practical to require encrypted access
given the export issue?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]