Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'd really like to be able to ssh in to home from work to use Yahoo Messenger, irc and so forth, but I can't trust the machine I'm connecting from.
I was thinking of using chroot and limiting the applications available but that would limit what I can do.
How can I rotate passwords? - that is, have the password automatically change when I log in? Could I try and script it into ~/.bashrc? How do I do so without giving away the new password in the process?
Also, could I do the same with VNC or something similar with scriptable password changing?
I would guess you don't have root in your work computer, so I would suggest trying to use the key auth feature in ssh instead of the password you use public key auth method.
check you man for sshd_config for AuthorizedKeysFile
and
you ssh for the matching option.
So the thing is you keep your key secure in a floppy or other removable media and use it to log in home. Now about protecting against keyloggers when using your home apps that is only possible if they don't ask you for auth. Just save the password and you will never have to type them. Although it will be still possible to see you type in IRC or other program.
Why would I need root at the client computer? What was your idea?
Thanks for the keyauth idea. I still hope to rotate passwords somehow though for mobility.
I'm going to try making an entry for a script in /etc/sudorers >
%wheel betty = NOPASSWD: /sbin/rotate_remote_user
and have that script change the password. Thing is, I'm not sure how to generate the password, and how to make the next password hard to predict/source unreadable.
If I could get passwd to write into a different shadow file, or generate a new shadow I could copy and paste that into /etc/shodow
I heard there was a encrypt keyboard option in grsecurity, so there must be other stuff like that out there. But you can't install it without root or Administrator.
Although not what you want, the easy way is to boot from a CD like knoppix or other out of the CD running distro. Of course this is not always the way to go without extensive costumization so it blends in nice and easy.
S/Key should offer the solution for ssh but I couldn't get it working - it just didn't accept the passwords when I typed them in. Didn't get much further than that.
Using authentication keys on a flash drive solves the problem of a key-logger, but if you're worried about the admins... they can still read the file and just keep a copy.
Similarly with one time passwords (opie, s/keys), the key-logger/admins will still get your password if you generate the response on that machine.
You need to either pre-generate a few passwords that you carry around in your wallet, or get one of several otp generators for your cell phone (search GetJar.com).
You can then setup PAM to authenticate with your normal password at home, and OTP over ssh.
You need to either pre-generate a few passwords that you carry around in your wallet, or get one of several otp generators for your cell phone (search GetJar.com).
I haven't checked their service, but something to note is that if you authenticate to a service from an infected/monitored box, then the watchers can do so too. If you have a password/key that protects your one time passwords (pads) then gaining access to that password/key renders your OTP precaution useless.
I would not trust a third party with passwords to all my accounts. Not even my parents/lawyer/doctor/priest.
The safest option is still to generate OTPs yourself, using a trusted machine/software combination and ALWAYS keep your key/master password private.
I haven't checked their service, but something to note is that if you authenticate to a service from an infected/monitored box, then the watchers can do so too. If you have a password/key that protects your one time passwords (pads) then gaining access to that password/key renders your OTP precaution useless.
OK, cool. I had a bit of time today, so checked out the site. Would be pretty cool if I trusted third parties with my passwords.
I'm not saying they're not trustworthy, but I'm too paranoid to hand over all my passwords to a group of people I have never (and probably will never) meet. Even if they are totally upstanding ( I have no reason to think they're not, but equally...), the very nature of their service makes them a good target for hackers/crackers/kiddies.
Personally, I don't see the advantage over generating your own list of OTPs. Maybe for people who don't want to access a Linux box ;-)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.