On Tue, 23 Oct 2001, Marcus J. Ranum wrote: > David Lang wrote: <snip> > >2. you can't (easily) use strong authentication other then certificates. > > True. We've been looking at rolling some of the tokens out > here since we're worried about ever-smarter trojans and keystealers. > There was a tool with the fwtk that was basically a login wrapper; it > sat in front of /bin/sh as the user's login shell, did a challenge/response > and then exec'd their real shell. That's a viable place to add c/r > behind something like ssh if you're really really paranoid.
the other though I've had on this (but haven't taken the time to pursue) is if openssh can be configured to use PAM then it may be possible to use a PAM module to do the token c/r. <snip> > >plug-gw, for things that don't fit the other proxies is there something > >else you suggest? > > Plug-gw is still OK. :) Remember: it doesn't _do_ anything > though! It's just a hole... yep, unfortunantly some things that need to be run through internal firewalls will never be supported by real proxies (unless you write them yourself) <snip> > >I agree that the FWTK has some (fairly severe) limits on what it should be > >used for, but within those limits I still see it as useful. > > Hey, I'm not bashing fwtk. :) It certainly had its place and at one point > in time a significant percentage (something like 20%) of the Internet > firewalls were based on it. Not bad! :) But it's definitely dated and I > get a bit nervous when I see someone looking at deploying it today. > Especially when 'good' firewalls are so cheap and more up to date > components are easy to find. and I'm not saying it's the right thing to use as a companies internet firewall either :-) I primarily use it for internal firewalls where I want the strong authentication it provides (for services that support it) and almost everything else needs to be handled by plug-gw (or it's equivalent on whatever firewall) anyway. The only other place I use it is on my home firewall, again for the strong authentication capability in combination with many->one NAT for outbound connections. I would say that I wished that someone else would come up with a set of proxies and a authentication engine similar to what the FWTK provides, but I guess the job it does is simple and complete enough (again within it's limits) that there's not enough reason for anyone to reinvent the wheel. David Lang _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
