[plug] security qn: auth from Windows clients to Linux server

dsbrown at cyllene.uwa.edu.au dsbrown at cyllene.uwa.edu.au
Sun Jul 31 21:35:31 WST 2005 

Quoting dsbrown at cyllene.uwa.edu.au:

> Dear PLUG list members,
>
> A security question :-)   I want to avoid collateral damage from
> inadvertently having keystroke loggers grab authentication details from a
> compromised Windows machine, when used to remotely administer Linux
> machines hosting senmsitive data.

Thanks to Shayne, Quentin, Russell, Timothy, Jim and Craig...

It seems I am not being overly paranoid :-)

OPIE looks promising but if I ssh into a machine as a user with wheel
membership and sudo, would I need to re-use the password or, more likely,
use a fresh one at each prompt?   I suspect the latter which may mean
needing a fairly long preprinted password list :-)   I'll have to read up
more on it though.   I **NEVER** log in as root and barr root logins for
ssh in any case.

Safeword tokens sound pretty good and would seem to be
non-technical-person-friendly but I think the finances are going to be
the kicker here.   Very similar concept to OPIE, but without the pain :-)
   Thanks, Quentin for mentioning it.   I may be able to interest my fellow
admins in using it and if there are ecconomies of scale for rolling it out
to multiple "I want to work from home" types.

The other solutions including Timothy's one make sense from the "I have
something" perspective... have a USB memory stick.   Craig's booting into
a more secure OS (What!?? Windows XP is not secure?) could be via USB
stick a la previous discussion on having Linux on a stick.   There could
be "issues" there though, such as convincing the regular user that what
I'm about to do really is harmless to their machine!

Overall, the use of OPIE if I don't want a "hardware" element in the
solution or PuTTY and keys on a stick if I allow hardware in, would seem
reasonable.   And yes, I would change the keys regularly :-)

Thanks for all the input.   Hope others have found it interesting too.
Denis



----------------------------------------------------------------
This message was sent using the University of Western Australia
Webmail system, based on the Horde/IMP framework.
Students and staff - via https://webmail.uwa.edu.au/

More information about the plug mailing list