Home page logo

educause logo Educause Security Discussion mailing list archives

Re: VPN/ssh and foreign travel
From: Josh Drummond <jdrummon () UCI EDU>
Date: Wed, 19 Nov 2008 10:09:49 -0800

You can't replay RSA SecurID tokencodes either, even within the "1
minute" window.

Gary Dobbins wrote:
If you end up finding that you must accept plaintext telnet inbound due to the countries in which your folks may go, 
you may wish to consider the following instead of permitting broad use of plaintext inbound:

1) setting up a bastion host that accepts telnet, and having them ssh from there to the real target host(s).
2) deploying a one-time password service (e.g. SafeWord, or SecurID) so that an intercepted session does not divulge a 
[re-]usable password.
3) configuring the bastion telnet daemon to accept only one inbound shell per UserID concurrently.

Of the two example OTP products above, I would favor SafeWord since its passwords are truly one-time and are not accepted even if 
replayed promptly (the user must press the token's button again, to generate a new password if they need to reconnect).  
RSA's OTP may have incorporated that feature since my experience with it, but if not its passwords may be at risk of re-use 
during their ~1-minute validity window.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of jeff murphy
Sent: Wednesday, November 19, 2008 12:20 PM
Subject: [SECURITY] VPN/ssh and foreign travel

We're trying to eliminate use of cleartext password transmission
access to university systems. One point of discussion involves
with US export controls. What I'd like to hear from you (sec () educ)
your thoughts on whether it's practical to require encrypted access
given the export issue?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]