[clug] secure remote access method [SEC=PERSONAL]
Daniel Pittman
daniel at rimspace.net
Fri Jun 19 03:57:18 GMT 2009
jm <jeffm at ghostgun.com> writes:
> Roppola, Antti - BRS wrote:
[...]
> Only one person in this thread has actually attempted to address the
> original problem description (Ben by suggesting httptunnel).
Sorry for coming in late.
OpenVPN supports the '--port-share' option to share a port between OpenVPN and
HTTPS; There is a Perl script to do the same for SSH and HTTPS here:
http://search.cpan.org/~book/Net-Proxy-0.07/script/sslh
Both of those will allow you to work around the limited access stuff; the port
443 HTTPS sharing option is actually pretty solid, really.
>> I used to have an ssh listener at home. It was switched off most of the
>> time, and the rest of the time it was behind an IPTables rule that
>> restricted access to networks I was likely to be accessing it from. It
>> didn't allow root logins at all. Ideally it would point to a separate
>> unprivileged account that was running restricted shell.
If this shell allows password protected access to root via sudo then guessing
the unprivileged account password is equivalent to guessing the root password.
My guess is than Antti doesn't allow that, but I have run across people who
have not considered that before, so I figure it is worth mentioning.
>> If I was going to continue to need access, I was going to set up a separate
>> means of activiating it with appropriate network settings (SMS? Dialin?).
>
> sms based password authentication is a good idea as a method of OTP.
Actually, SMS authentication is a very solid "out of band" mechanism, either
sending it to the phone or just SMS the IP to open back to your server.
Either of those will radically improve the security compared to not having it
in place.
Regards,
Daniel
More information about the linux
mailing list