>>>>> On Tue, 24 May 94 08:04:53 -0700, pauld @
pyramid .
com (Paul Daw) said:
|> Brent's suggestion was to go ahead and allow this (i.e. enable the specific
|> IP address from the internet to get through the wrapper to telnetd,) using
|> a one time password, smart card or challenge response system to protect the
|> family jewels. This seems like a good first step, but after sitting around
|> drinking beer and eating pizza with the other security paranoids in the
|> sysadm group here, we saw a second potential problem.
|>
|> Since these people are at customer sites, there is a real potential for
|> local eavesdropping. While the one-time-password scheme protects the
|> firewall from intrusion, it doesn't protect all of the internal
|> machines that the user might log into once he is on the gateway, and
|> those passwords will still be sent in the clear. The Internet gateway
|> isn't the only way in, and there is a possibility that the passwords
|> used on internal machines might also be used on modem servers and the
|> like.
I haven't heard anything about putting S/Key together with Kerberos,
yet, so perhaps it's either not possible or unwise, but that would do
it. Give the next key in sequence to authenticate your Kerberos
identity.$$
--
INET: Mark-Ludwig @
UAI .
COM NIC: ML255 ICBM: USA; Lower Left Coast
"Cigarettes ... are not a drug." -- Tom Lorea from the Tobacco Institute
References:
|
|
