LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-07-2004, 08:47 AM   #1
jago25_98
Member
 
Registered: Jun 2001
Posts: 280

Rep: Reputation: 30
Rotate passwords to avoid keyloggers in workplace


I'd really like to be able to ssh in to home from work to use Yahoo Messenger, irc and so forth, but I can't trust the machine I'm connecting from.

I was thinking of using chroot and limiting the applications available but that would limit what I can do.

How can I rotate passwords? - that is, have the password automatically change when I log in? Could I try and script it into ~/.bashrc? How do I do so without giving away the new password in the process?

Also, could I do the same with VNC or something similar with scriptable password changing?

Thanks!
 
Old 10-07-2004, 04:38 PM   #2
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
I would guess you don't have root in your work computer, so I would suggest trying to use the key auth feature in ssh instead of the password you use public key auth method.

check you man for sshd_config for AuthorizedKeysFile
and
you ssh for the matching option.

So the thing is you keep your key secure in a floppy or other removable media and use it to log in home. Now about protecting against keyloggers when using your home apps that is only possible if they don't ask you for auth. Just save the password and you will never have to type them. Although it will be still possible to see you type in IRC or other program.
 
Old 10-07-2004, 04:50 PM   #3
jago25_98
Member
 
Registered: Jun 2001
Posts: 280

Original Poster
Rep: Reputation: 30
Why would I need root at the client computer? What was your idea?

Thanks for the keyauth idea. I still hope to rotate passwords somehow though for mobility.

I'm going to try making an entry for a script in /etc/sudorers >

%wheel betty = NOPASSWD: /sbin/rotate_remote_user

and have that script change the password. Thing is, I'm not sure how to generate the password, and how to make the next password hard to predict/source unreadable.

If I could get passwd to write into a different shadow file, or generate a new shadow I could copy and paste that into /etc/shodow

Last edited by jago25_98; 10-07-2004 at 05:05 PM.
 
Old 10-08-2004, 12:33 PM   #4
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
I heard there was a encrypt keyboard option in grsecurity, so there must be other stuff like that out there. But you can't install it without root or Administrator.

Although not what you want, the easy way is to boot from a CD like knoppix or other out of the CD running distro. Of course this is not always the way to go without extensive costumization so it blends in nice and easy.
 
Old 10-09-2004, 05:59 AM   #5
jago25_98
Member
 
Registered: Jun 2001
Posts: 280

Original Poster
Rep: Reputation: 30
I just wondered if I could change to a new password by use of a script that has a new password in it.

I'm assuming hardware keyloggers too.
 
Old 04-13-2009, 01:00 PM   #6
jago25_98
Member
 
Registered: Jun 2001
Posts: 280

Original Poster
Rep: Reputation: 30
5 years on and I would like to get this working!

S/Key should offer the solution for ssh but I couldn't get it working - it just didn't accept the passwords when I typed them in. Didn't get much further than that.

As for VNC, I'm looking into it now
 
Old 05-18-2009, 03:10 PM   #7
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
Try a RSA securID.

http://www.rsa.com/node.aspx?id=1156
 
Old 05-18-2009, 03:40 PM   #8
mostlyharmless
Senior Member
 
Registered: Jan 2008
Distribution: Slackware -current (multilib) with kernel 3.16.2
Posts: 1,571
Blog Entries: 13

Rep: Reputation: 182Reputation: 182
Try this:
http://ubuntuforums.org/showthread.php?t=383053
 
Old 05-22-2009, 09:27 AM   #9
phoenix_precedent
LQ Newbie
 
Registered: May 2009
Posts: 15

Rep: Reputation: 2
Using authentication keys on a flash drive solves the problem of a key-logger, but if you're worried about the admins... they can still read the file and just keep a copy.

Similarly with one time passwords (opie, s/keys), the key-logger/admins will still get your password if you generate the response on that machine.

You need to either pre-generate a few passwords that you carry around in your wallet, or get one of several otp generators for your cell phone (search GetJar.com).

You can then setup PAM to authenticate with your normal password at home, and OTP over ssh.

Hope this helps,
Phoenix.
 
Old 05-24-2009, 03:08 AM   #10
along
LQ Newbie
 
Registered: May 2009
Posts: 3

Rep: Reputation: 0
Quote:
Originally Posted by phoenix_precedent View Post
You need to either pre-generate a few passwords that you carry around in your wallet, or get one of several otp generators for your cell phone (search GetJar.com).

The service at http://kyps.net lets you do just that. (Also see http://kyps.net/home/comparison).
 
Old 05-24-2009, 04:23 AM   #11
phoenix_precedent
LQ Newbie
 
Registered: May 2009
Posts: 15

Rep: Reputation: 2
Quote:
Originally Posted by along View Post
The service at http://kyps.net lets you do just that. (Also see http://kyps.net/home/comparison).
I haven't checked their service, but something to note is that if you authenticate to a service from an infected/monitored box, then the watchers can do so too. If you have a password/key that protects your one time passwords (pads) then gaining access to that password/key renders your OTP precaution useless.

I would not trust a third party with passwords to all my accounts. Not even my parents/lawyer/doctor/priest.

The safest option is still to generate OTPs yourself, using a trusted machine/software combination and ALWAYS keep your key/master password private.
 
Old 05-24-2009, 07:34 AM   #12
along
LQ Newbie
 
Registered: May 2009
Posts: 3

Rep: Reputation: 0
Quote:
Originally Posted by phoenix_precedent View Post
I haven't checked their service, but something to note is that if you authenticate to a service from an infected/monitored box, then the watchers can do so too. If you have a password/key that protects your one time passwords (pads) then gaining access to that password/key renders your OTP precaution useless.
That's not how the service works...
 
Old 05-24-2009, 06:06 PM   #13
phoenix_precedent
LQ Newbie
 
Registered: May 2009
Posts: 15

Rep: Reputation: 2
OK, cool. I had a bit of time today, so checked out the site. Would be pretty cool if I trusted third parties with my passwords.

I'm not saying they're not trustworthy, but I'm too paranoid to hand over all my passwords to a group of people I have never (and probably will never) meet. Even if they are totally upstanding ( I have no reason to think they're not, but equally...), the very nature of their service makes them a good target for hackers/crackers/kiddies.

Personally, I don't see the advantage over generating your own list of OTPs. Maybe for people who don't want to access a Linux box ;-)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Keyloggers installed on all new laptops! DaBlade General 11 10-06-2005 03:06 PM
spyware, keyloggers and wine mifan Linux - Software 6 08-19-2005 08:48 AM
Keyloggers and spywares crazy diamond General 4 10-07-2004 12:03 PM
Workplace Switcher kbd shortcut? pfaendtner Linux - Software 3 07-28-2004 11:47 AM
New job position at my current workplace.. trickykid General 10 06-26-2003 04:21 AM


All times are GMT -5. The time now is 11:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration