On Wed, Dec 24, 2008, jkinz at kinz.org wrote: >Top posting to ask a question regarding the article below: > >Hi Warren, Nice explanation. I would like to ask what you >recommend people do if they want to be able to ssh in from >anywhere on the internet. Say they are going to be traveling and >they know they will have to login from machines they have no >control over, like an internet cafe or a Hotel's business >services suite? I always have my laptop with me, and have systems here configured to (a) accept only authorized_keys, (b) allow access from any IP, and (c) use fail2ban to limit the number of log entries from failed attempts to access the systems. All logins to our customer sites are then initiated from inside our network once I have established the initial connection from the remote location so those connections can be much more restrictive if necessary. One possibility would be to have a machine configured to allow password access from the world which one could log into, then execute ssh-agent, and ssh-add (with a strong pass phrase) on that machine to get access to other systems on your network. If there is some reason that an ssh cannot be established, usually it's possible to connect with OpenVPN, which works nicely behind NAT firewalls and does not require kernel hacking on CentOS as things like PPTP do. You make the job much more difficult when asking that you be able to get in from any old machine you might find in public space. Other than the fact that the owners of these machines generally don't allow people to install software on them, I would be very reluctant to do anything on them that involved secure logins as who knows what key capture or other spyware is running on them. One may be able to access you systems using webmin or its usermin module over an SSL connection, and webmin has a terminal interface allowing one to get a connection to systems. If I remember correctly, this does require Java(tm) on the connecting machine, and that webmin be configured to permit use of the terminal module. I much prefer restrict webmin and usermin access though as I have seen far too many systems cracked through it because it only has username, password authentication, and too many times, user's passwords are easily cracked. Once somebody is logged into usermin, for instance, they may have access to tools such as the chfn (change finger information) command which at one time on SuSE systems allowed them to change their uid to ``0'' and gain root access to the system. In summary, I would be extremely reluctant to allow access from public machines where there is no assurance how much malware is running on top of the Microsoft virus, Windows. It's very easy to revoke authorized_keys or OpenVPN access for a lost or stolen laptop. Allowing password access by any means opens up a large can of worms. ... Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 If the government can take a man's money without his consent, there is no limit to the additional tyranny it may practise upon him; for, with his money, it can hire soldiers to stand over him, keep him in subjection, plunder him at discretion, and kill him if he resists. Lysander Spooner, 1852