Educause Security Discussion
mailing list archives
Re: VPN/ssh and foreign travel
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 19 Nov 2008 13:38:13 -0500
Gary Dobbins wrote:
If you end up finding that you must accept plaintext telnet inbound due to the countries in which your folks may go,
you may wish to consider the following instead of permitting broad use of plaintext inbound:
1) setting up a bastion host that accepts telnet, and having them ssh from there to the real target host(s).
2) deploying a one-time password service (e.g. SafeWord, or SecurID) so that an intercepted session does not divulge a
3) configuring the bastion telnet daemon to accept only one inbound shell per UserID concurrently.
Of the two example OTP products above, I would favor SafeWord since its passwords are truly one-time and are not accepted even if
replayed promptly (the user must press the token's button again, to generate a new password if they need to reconnect).
RSA's OTP may have incorporated that feature since my experience with it, but if not its passwords may be at risk of re-use
during their ~1-minute validity window.
Another option is OPIE which is an open source software based
OTP system. We used it many years ago ( ~1997 ) but its still
around and usable AFAIK.
James Madison University
Description: S/MIME Cryptographic Signature