On Wed, Dec 24, 2008, jkinz@kinz.org wrote:
On Wed, Dec 24, 2008 at 09:43:19AM -0800, Bill Campbell wrote:
On Wed, Dec 24, 2008, jkinz@kinz.org wrote:
Top posting to ask a question regarding the article below: Summary: Enable ssh to allow login from any random point on the internet
I always have my laptop with me,
An excellent strategy Bill. I use it myself, but I explicitly excluded it in my question. Why? because there are lots of scenarios in the world where people won't be able to use their laptop or netbook and will have to fall back on using someone else's equipment.
Two examples : You are visiting the Otis Public Library in Norwich CT. They have Linux based public workstations (w/Internet access). (http://www.otislibrarynorwich.org/index.htm)
Or you are a consultant visiting a corporate client who doesn't allow "outside equipment" to be used on their network, so they maintain specific machines for "guests" to use. (Hint, "DOD" )
I don't do business with government agencies, it just encourages them to continue their legal plunder (and often it takes forever to get paid -- unless one offers an early payment discount that they are required by law to use).
(I have run into both of these. :-) )
example three - A TSA attendant "accidentally" drops your laptop.. in front of a forklift... (Merry Christmas!)
That might well get me to cancel my trip.
All your ideas are good ones to which I would add using port knocking (not perfect at all but adds an additional small barrier)
I am aware of port knocking, but doing that certainly requires stuff on the client computer that wouldn't be available at the average Internet cafe or kiosk device.
The best technique I have used is to put up an https web page that requires the person desiring entry to be presented with a challenge<->response dialog that is generated from a specific one-time use pad of CR key pairs. That way, each session requires a unique response to enable it. This is awkward but help keep the unwanted visitors out. This would be a variation on your SSL webmin suggestion.
I saw something recently on one of the many mailing lists about a USB device that generates one-time-passwords at very reasonable cost. These can be plugged into anything with a USB port that would recognize a USB keyboard.
Unfortunately, the worst case scenario ( a compromised machine that does key logging) which you pointed out, will always be a potential problem..
So when on the road, perhaps we should restrict doing online banking to just the cell phone.. :-) hmm.......
My bank is set up to make one jump through several hoops when logging in from an IP that it has not seen a login to the account, and may even distinguish browsers as I think I have had to do something special when using Safari on my desktop instead of my normal Firefox. My bank is a small regional bank where the people at the branch know me, and even recognize my voice on the phone so it's pretty easy for me to do things by phone. I *HATE* dealing with megabanks where customer service is an oxymoron.
... Bill