a user security hole in mindterm's ssh 2 applet

arseth2 arseth2@imap.online.no
Thu, 19 Sep 2002 17:45:47 +0200 

Can OpenSSH sshd be set up to use one time passwords?
Does it come with utilities to genereate one time passwords which can be sent 
to users?

Arne

>===== Original Message From Jorge Carrizo <jorge.carrizo@eds.com> =====
>Totally agree with this approach, ie one-time, unrelated, random
>generated and "really strong" passwords.
>
>I also belive that multiple security barriers would be better
>understanded (and approved) by your auditors / security analysts.
>
>regards,
>jorge
>
>
>David Forslund wrote:
>
>> This is one of the reasons why we use one-time passwords at Los Alamos.
>> There are too many ways to breach security when you have a simple
>> name/password login.  I suggest that Brookhaven go to a one-time
>> password system with CryptoCards to avoid this problem as
>> we have done at Los Alamos.  Mindterm works great in
>> this scenario and there is nothing left on a remote machine
>> that would enable someone to "steal" the password, encrypted or not.
>>
>> Dave Forslund
>> Los Alamos National Laboratory
>>
>>
>> At 06:17 AM 9/19/2002 -0400, Stephen Adler wrote:
>>
>>> Mats,
>>>
>>> thank you very much for your reply but this is a big concern
>>> for us. Here's the problem. We cannot trust the users to be
>>> security conscious. We must assume that if there is something
>>> a user can do to leave his password open, they will, even though
>>> they don't intend to. Secondly, we are using mindterm as the
>>> official way of giving access to our systems from insecure
>>> places around the world. We have professors who travel to
>>> countries around the world who will being gaining access to
>>> our computer systems.
>>>
>>> We are a Department of Energy facility and we are under a
>>> microscope these days regarding computer security. Remember
>>> the Win Ho Lee case of Los Alamos National Labs? Well Brookhaven
>>> National Labs is a "sister" research facility managed by the
>>> same federal department. (i.e. Department of Energy) We are
>>> undergoing a large scale security restructuring of our computer
>>> systems and we will be reviewed and audited by DOE to ensure
>>> that our security model is acceptible. If I show up to a review
>>> and explain to them that we are using a software product which
>>> if you do xyz, then a windows PC in some foreign country will
>>> have a hostname/username/password such that anyone can gain
>>> access to the system, we will flunk the review.
>>>
>>> Mats, is it possible to get appgate to modify your mindterm
>>> product so that we can disable the password saving feature
>>> and still use the signed version of the applet? (As I understand,
>>> scp does not work with the unsigned version, otherwise
>>> we would use the unsigned version.) Who at appgate could I call
>>> to explain our situation? In your estimate, how big a change
>>> to mindterm would this be?
>>>
>>> Thanks for the reply Mats
>>>
>>> Steve
>>>
>>> On Thu, 2002-09-19 at 05:52, Andersson, Mats wrote:
>>>  >
>>>  > On 18 Sep 2002, Adler, Stephen wrote:
>>>  > > discovered a rather ugly user enabled security hole in the mindterm
>>>  > >
>>>  > > the "save password" option, then not enter in a password to
>>> password
>>>  >
>>>  > This is actually a "feature", it means that if you save your
>>> passwords
>>>  > et.c. without encrypting it (i.e. no passphrase given), it's going
>>> to save
>>>  > it unencrypted (so it can be retrieved without user intervention).
>>>  >
>>>  > > to find a way to close this hole, either by setting up some way of
>>>  > > disabling the saving of passwords, or forcing the user to enter
>>> in a
>>>  > > password to encrypt the local password file.
>>>  >
>>>  > Saving passwords is disabled by default. Entering an empty passphrase
>>>  > should perhaps warn people what it implicates to do that. You
>>> might also
>>>  > have a point in the need for a special setting which entirely
>>> disables the
>>>  > option to use it too (or something forcing a passphrase and hence
>>>  > encryption).
>>>  >
>>>  > I wouldn't consider this a very grave security-issue though, even
>>> a normal
>>>  > user probably understands that he shouldn't enable saving
>>> passwords on a
>>>  > computer that anybody can access freely (even when giving a
>>> passphrase to
>>>  > encrypt it).
>>>  >
>>>  > Cheers,
>>>  >
>>>  > /Mats
>>>  >
>>>
>>>
>>>
>>> _______________________________________________
>>> Mindterm-users mailing list
>>> Mindterm-users@mindterm.appgate.com
>>> http://www.mindbright.se/mailman/listinfo/mindterm-users
>>
>>
>>
>> _______________________________________________
>> Mindterm-users mailing list
>> Mindterm-users@mindterm.appgate.com
>> http://www.mindbright.se/mailman/listinfo/mindterm-users
>>
>>
>
>
>
>_______________________________________________
>Mindterm-users mailing list
>Mindterm-users@mindterm.appgate.com
>http://www.mindbright.se/mailman/listinfo/mindterm-users