Sometimes you need to login to your network from an insecure environment. For example when using free WLAN access at the hotel lobby or when surfing at the airport. Certainly you already know that you should use SSH to protect yourself. In this article I will show you how to protect your privacy even more.
Introduction
Using SSH for your remote access is very clever. SSH authenticates your remote system and establishes an encrypted channel between two hosts - even over insecure channels. If used correctly, SSH protects your passwords and your remote shell. Moreover SSH brings along useful tools for secure data transmission and is able to create secure end-to-end tunnels for your applications.
However there is the possibility that some evil person may have a look at your keyboard and may take notes about the passwords you enter. To prevent this, I only allow passwordless authentication using asymmetric key exchange to enter my system. But a) the private key is also protected by a passphrase that I don't want to enter in the public and b) sometimes I don't have my laptop present where I have stored the necessary keys. Below you will find my solution to this dilemma.
Creating a S/Key secured SSH gateway
As I already use virtualization at home, I created a new OpenBSD 4.6 machine as a secure S/Key enabled SSH gateway. This machine is installed with minimal packages only and is placed in a DMZ. A new unpriviledged user is created and root login is disabled on this host. With the following command, S/Key gets enabled:
# skeyinit -E
Then I create a new S/Key table for the unpriviledged user:
$ skeyinit
Reminder - Only use this method if you are directly connected
or have an encrypted channel. If you are using telnet,
hit return now and use skeyinit -s.
Password:
[Adding rottmrei with md5]
Enter new secret passphrase:
Again secret passphrase:
ID rottmrei skey is otp-md5 100 vope51160
Next login password: LAW SLUG HOB ORB ULAN FALL
The secret passphrase is used to create one-time passwords using the md5 algorithm. Using a secure workstation or handheld device, I can create the next login passwords by entering my secret passphrase, the used hash algorithm and the name of the S/Key table.
This can also be done on the S/Key SSH gateway:
$ skey -md5 -n 10 100 vope51160
Reminder - Do not use this program while logged in via telnet.
Enter secret passphrase:
91: MUDD LUSH CASH ORE GWYN MIRE
92: SKY DOLL OW JERK LAIN EMIT
93: JET NECK LAB SORE WOOD SAIL
94: BED BUST HUG WORD DASH DAWN
95: TENT CHUM MALL EAR BEAN TUCK
96: RAY STAY YOKE ROME GUST URGE
97: IVY SET ELAN CANT HAD DUTY
98: BIT SIP DOT TED GOAT VIE
99: TUSK HIT SEW GOAT TUNE DOLT
100: LAW SLUG HOB ORB ULAN FALL
Now I am able to login with a one-time password by appending ":skey" to the username:
% ssh rottmrei:skey@vopenbsd04
otp-md5 99 vope51160
S/Key Password:
Last login: Tue Dec 8 14:16:52 2009 from ***scrubbed***
* * * * * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE ONLY.
UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED.
IF NOT AUTHORIZED TO ACCESS THIS SYSTEM, DISCONNECT IMMEDIATELY!
* * * * * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * * *
$
The server greets me with the name of the S/Key password list that is currently in use (vipe51160) and requests me to enter the password phrase #99. After the first use of the login credentials they become obsolet just like a used TAN in online banking.
From the S/Key SSH gateway I may explore other machines that I have enabled to access the DMZ. When I do not need remote access, I simply shut down the gateway.
Regularily the list of S/Key passwords gets renewed by using skeyinit again. Of course all displayed passphrases on this page are permanently deactivated.
