> OK, it's time for another hypothetical situation...
>
> If I had a user community that was 100% dead set against any sort of
> one-time passwords, since they do lots and lots of logins every day over an
> internal net, and yet they occasionally do logins from remote (confusing
> enough... it's my fault), would the following scenario work?
>
> 1) Router on the link to the outside world, dropping all spoofed packets
> (src = (internal-net, loopback, 192.whatever, etc.).
>
> 2) A telnetd which ran either a normal, reusable password login if the
> connection was coming from an internal net, or an S/Key-type login if the
> connection was coming from an external net.
>
> The modification to telnetd seems trivial, and it would mean the best of
> both worlds: they get their one password for day-to-day use, and I get the
> no-reusable-passwords-over-the-net peace of mind.
>
> I'm certain that it couldn't be this simple, but I can't see anything wrong
> with it.
>
> Comments?
>
> Mike
I'm a very happy user (disclaimer: and reseller!) of a new product that
does exactly what you discribe: I use my reusable password when I log
in at my station, but on the road I'm coming from outside the "trusted
network", and so am forced to use my (SNK-like) Cryptocard token.
(SecureID and S-Key are also supported). Unfortunately for most readers
of this forum, the product, Secure/IP from TGV, Inc., runs only on
OpenVMS!
However, since it has the features you want, why not call TGV (+1 408
457 5200, or in the U.S. (800) TGV 3440) and buy the documentation? A
quick read will expose many issues you'll want to deal with as you hack
telnetd.
Regards,
"Steve" Stephen L. Arnold, Ph.D., President, Arnold Consulting, Inc.
Address 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A.
Telephone +1 608 278 7700 Facsimile +1 608 278 7701
Internet Stephen .
L .
Arnold @
Arnold .
Com Pager (800) 351 8927
References:
|
|
