[plug] security qn: auth from Windows clients to Linux server
Craig Ringer
craig at postnewspapers.com.au
Sun Jul 31 18:08:42 WST 2005
On Sat, 2005-07-30 at 23:56 +0800, dsbrown at cyllene.uwa.edu.au wrote:
> Background:
> In my travels I remotely administer linux servers and workstations. In
> some cases these Linux machines carry quite sensitive information.
> Security on those, per se, is not the problem. SSH connections provide
> the transport layer security I need, but I am concerned with the prospect
> of keystroke loggers being planted on the Windows machines and reporting
> my authentication details back to a malicious third party.
I'd want to start by carrying around a USB key with a copy of PuTTY, and
MacSSH, plus SSH keys for the two. You then log in to the servers you
admin only by using those keys. It's not full potection, but it raises
the bar since the passphrase is of little use to an attacker unless
they've also swiped a copy of your keys. It also means you can disable a
given set of keys by tweaking authorized_keys. If you're feeling
paranoid you can even generate new keys and disable the old ones on a
regular basis.
I'd also preconfigure my username and the list of hosts I commonly use
in PuTTY. It's much harder to use a passphrase if you don't know what
it's for.
Frankly, it sounds much like the EAP-TLS... but it's probably
considerably easier to use while roaming around.
Depending on the users, it might also be possible to carry around a mini
CD and just boot into a trusted OS. It won't help you against hardware
key loggers, but spyware ones won't have a chance.
> 1. Am I overly worried about nothing (= threat from keystroke loggers)?
Probably, in that they'd have to identify that (a) you were using ssh,
(b) to a given host, and (c) that some given series of keystrokes was
your passphrase.
Most loggers, at least of the spyware flavour, are probably geared
toward website usernames/passwords, and nicking credit card numbers etc.
That said, a little paranoia isn't necessarily a bad idea when dealing
with untrusted computers.
--
Craig Ringer
More information about the plug
mailing list