Home page logo

educause logo Educause Security Discussion mailing list archives

Re: VPN/ssh and foreign travel
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 19 Nov 2008 13:38:13 -0500

Gary Dobbins wrote:
If you end up finding that you must accept plaintext telnet inbound due to the countries in which your folks may go, 
you may wish to consider the following instead of permitting broad use of plaintext inbound:

1) setting up a bastion host that accepts telnet, and having them ssh from there to the real target host(s).
2) deploying a one-time password service (e.g. SafeWord, or SecurID) so that an intercepted session does not divulge a 
[re-]usable password.
3) configuring the bastion telnet daemon to accept only one inbound shell per UserID concurrently.

Of the two example OTP products above, I would favor SafeWord since its passwords are truly one-time and are not accepted even if 
replayed promptly (the user must press the token's button again, to generate a new password if they need to reconnect).  
RSA's OTP may have incorporated that feature since my experience with it, but if not its passwords may be at risk of re-use 
during their ~1-minute validity window.

Another option is OPIE which is an open source software based
OTP system. We used it many years ago ( ~1997 ) but its still
around and usable AFAIK.

Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]