In lists.firewalls you write: >>2. you can't (easily) use strong authentication other then certificates.
> True. We've been looking at rolling some of the tokens out >here since we're worried about ever-smarter trojans and keystealers. >There was a tool with the fwtk that was basically a login wrapper; it >sat in front of /bin/sh as the user's login shell, did a challenge/response >and then exec'd their real shell. That's a viable place to add c/r >behind something like ssh if you're really really paranoid. Uh, just for the record. With ssh this is a "not so good idea (TM)" if you're not careful. If you allow port/X11 forwarding and use a wrapper around the user's login, the sshd won't know that there is an additional authentication step following and happily allow forwarded ports to operate while the user is still looking at the challenge prompt from the login wrapper. I ran into this myself ;-) The only solution I could come up with was hacking the sshd to add an additional authentication step there directly. Michael -- \|/ -O- Michael Elbel, ConSol* GmbH, - [EMAIL PROTECTED] - 089 / 45841-256 /|\ Fermentation fault (coors dumped) _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
