On Wed, Dec 24, 2008 at 09:43:19AM -0800, Bill Campbell wrote:
On Wed, Dec 24, 2008, jkinz@kinz.org wrote:
Top posting to ask a question regarding the article below: Summary: Enable ssh to allow login from any random point on the internet
I always have my laptop with me,
An excellent strategy Bill. I use it myself, but I explicitly excluded it in my question. Why? because there are lots of scenarios in the world where people won't be able to use their laptop or netbook and will have to fall back on using someone else's equipment.
Two examples : You are visiting the Otis Public Library in Norwich CT. They have Linux based public workstations (w/Internet access). (http://www.otislibrarynorwich.org/index.htm)
Or you are a consultant visiting a corporate client who doesn't allow "outside equipment" to be used on their network, so they maintain specific machines for "guests" to use. (Hint, "DOD" )
(I have run into both of these. :-) )
example three - A TSA attendant "accidentally" drops your laptop.. in front of a forklift... (Merry Christmas!)
All your ideas are good ones to which I would add using port knocking (not perfect at all but adds an additional small barrier)
The best technique I have used is to put up an https web page that requires the person desiring entry to be presented with a challenge<->response dialog that is generated from a specific one-time use pad of CR key pairs. That way, each session requires a unique response to enable it. This is awkward but help keep the unwanted visitors out. This would be a variation on your SSL webmin suggestion.
Unfortunately, the worst case scenario ( a compromised machine that does key logging) which you pointed out, will always be a potential problem..
So when on the road, perhaps we should restrict doing online banking to just the cell phone.. :-) hmm.......
accept only authorized_keys, (b) allow access from any IP, and (c) use fail2ban to limit the number of log entries from failed attempts to access the systems. All logins to our customer sites are then initiated from inside our network once I have established the initial connection from the remote location so those connections can be much more restrictive if necessary.
One possibility would be to have a machine configured to allow password access from the world which one could log into, then execute ssh-agent, and ssh-add (with a strong pass phrase) on that machine to get access to other systems on your network.
If there is some reason that an ssh cannot be established, usually it's possible to connect with OpenVPN, which works nicely behind NAT firewalls and does not require kernel hacking on CentOS as things like PPTP do.
You make the job much more difficult when asking that you be able to get in from any old machine you might find in public space. Other than the fact that the owners of these machines generally don't allow people to install software on them, I would be very reluctant to do anything on them that involved secure logins as who knows what key capture or other spyware is running on them.
One may be able to access you systems using webmin or its usermin module over an SSL connection, and webmin has a terminal interface allowing one to get a connection to systems. If I remember correctly, this does require Java(tm) on the connecting machine, and that webmin be configured to permit use of the terminal module.
I much prefer restrict webmin and usermin access though as I have seen far too many systems cracked through it because it only has username, password authentication, and too many times, user's passwords are easily cracked. Once somebody is logged into usermin, for instance, they may have access to tools such as the chfn (change finger information) command which at one time on SuSE systems allowed them to change their uid to ``0'' and gain root access to the system.
In summary, I would be extremely reluctant to allow access from public machines where there is no assurance how much malware is running on top of the Microsoft virus, Windows. It's very easy to revoke authorized_keys or OpenVPN access for a lost or stolen laptop. Allowing password access by any means opens up a large can of worms.
... Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186
If the government can take a man's money without his consent, there is no limit to the additional tyranny it may practise upon him; for, with his money, it can hire soldiers to stand over him, keep him in subjection, plunder him at discretion, and kill him if he resists. Lysander Spooner, 1852 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--