[plug] security qn: auth from Windows clients to Linux server

dsbrown at cyllene.uwa.edu.au dsbrown at cyllene.uwa.edu.au
Sat Jul 30 23:56:27 WST 2005


Dear PLUG list members,

A security question :-)   I want to avoid collateral damage from
inadvertently having keystroke loggers grab authentication details from a
compromised Windows machine, when used to remotely administer Linux
machines hosting senmsitive data.

Background:
In my travels I remotely administer linux servers and workstations.   In
some cases these Linux machines carry quite sensitive information.  
Security on those, per se, is not the problem.   SSH connections provide
the transport layer security I need, but I am concerned with the prospect
of keystroke loggers being planted on the Windows machines and reporting
my authentication details back to a malicious third party.

Possible solution:
EAP-TLS seems like a Good Thing (tm) here... mutual authentication of the
client and authentication server machines using certificates, before any
connection is made to the interesting data.   If I have the correct
handle on this, even if a Bad Guy (tm) got wind of my username and
password he could not make use of it without also knowing the details of
my certificates on the Windows machine(s) that I would use; thus it would
be a case of needing both "something I know" plus "something I have" to
breach security and begin impersonating me.

SecureID style gadgets not possible - do I hear the word "budget" echoing
down the corridor?

Questions:
1.  Am I overly worried about nothing (= threat from keystroke loggers)?
2.  EAP-TLS is a reasonable plan?
3.  Something simpler to consider?
4.  Implementation... one Linux machine (which is NOT any of those
carrying sensitive data!) can do the EAP-TLS function?   Is this wise? 
If so, authenticate to that machine and open ssh connection to a
sensitive host, from it.   Sensitive hosts would only allow ssh from that
"authentication server."
5.  Weaknesses / holes in point 4, or anywhere else??

TIA,
Denis


----------------------------------------------------------------
This message was sent using the University of Western Australia
Webmail system, based on the Horde/IMP framework.
Students and staff - via https://webmail.uwa.edu.au/



More information about the plug mailing list