Peter Maersk-Moller enscribed thusly:
> Hi Firewall list !
> I will in the time to come, have to do remote sysadm of a Unix environment
> (from a Unix environment) over the Internet.
>
> Any suggestions on how to do that in a secure way will be appreciated. I believe
> a lot of you are doing it every day. So, how do you do it.
> The remote site will be fenced by a firewall (not decided which, but
> probably TIS FWTK).
> Does anybody know of a secure (please explain what secure means to you)
> version of telnet and how secure is such a version ?
> I expect login, session and origin verification has to be encrypted as
> a minimum.
How 'bout "ssh" secure shell. Replaces rsh, rcp, & rlogin with
a cryptographic session. Does authentication using a public key system.
Uses a private session key for individual sessions. Can use idea, DES
3-DES and others for the private session encryption.
Check it out here...
ftp://ftp.cs.hut.fi/pub/ssh/
> How about running X over the Internet. Since Kerberos in many implementation
> seems to be broken, does an enhancement exist ? Something like secure tunneling.
> By that I mean wrap PGP or like around it.
You can use ssh to do X-Windows forwarding over the ssh session giving
you a secure link for an X session.
> I prefer solutions I can compile myself. Doesn't trust shrink wrapped security.
>
> Any comments, solutions etc. are welcome.
This fits your preferences.
A couple of notes though. Make sure you use the latest version -
1.2.13. Earlier versions had some security related problems with people
making ssh "core dump" before shifting to the target userid. There is
also one report of someone configuring ssh to sit on a high port so they
could "bypass" a firewall. Seeing as a lot of packages could be abused
in similar fasion, it wasn't ssh's fault - but it got some mention and
discussion on the ssh mailing list. Moral of that story is to watch
your configurations (and watch what das blinken user ick doen). But
that SHOULD go without saying.
> Regards Peter Maersk-Moller
> ----
>
> Technical Manager E-mail maersk @
ghdsign .
dk
> Peter Maersk-Moller GSM +45 40164125
> -------
> GHDsign Phone +45 44441482
> Bakkesvinget 12 Fax +45 44490044
> DK-2880 Bagsvaerd BBS +45 44440940
> DENMARK WWW http://login.dknet.dk/~ghdsign
>
> \|||/
> (. .)
> -----------------------------ooO-(_)-Ooo---------------------------------
> __ _
> / / (_)__ __ ____ __
> / /__/ / _ \/ // /\ \/ / . . . t h e c h o i c e o f a
> /____/_/_//_/\___/ /_/\_\ G N U g e n e r a t i o n . . .
>
> -------------------------------------------------------------------------
> || ||
> ooO Ooo
Regards,
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw @
WittsEnd .
com
(The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
References:
|
|
