Best practices/secure approach for accessing ssh server from semi-untrusted machines

5

I often need access to my home ssh server while abroad on customers machines. At present my ssh server is set to use password authentication on a non standard port. It's convenient because I can just download putty/pscp, do what I need to do and be done. But I am concerned about the security risks.

I've considered only allowing pub/pri key authentication with a passphrase. But I don't really want to be copying my private key onto remote machines if that can be avoided.

Is there a better approach? Something that is more secure, but still reasonably convenient.

I had thought of setting up two ssh servers, one exposed to internet, the other only to the LAN. The public server would allow password authentication, but would otherwise be locked down to only allow ssh access to the internal server (through a forced command or something). The internal server would only allow ssh access via pub/pri key authentication that uses a passphrase. In theory it should work, but I wonder if there is a simpler way.

Andy

Posted 2011-07-21T01:20:06.223

Reputation: 153

Answers

4

If you are willing to spend some money you could get a yubikey and then use the Yubico PAM module. With this you can setup two-factor authentication. To login, it would require both your Yubikey and a password.

Zoredache

Posted 2011-07-21T01:20:06.223

Reputation: 18 453

1

Check the opie-server for a one-time-password mechanism.
Here is one brief introduction.

nik

Posted 2011-07-21T01:20:06.223

Reputation: 50 788

0

Get a USB thumb drive. Copy your public key onto there. As long as you're there, you might as well copy PuTTY, pscp, and pageant onto it as well so you don't have to download it several times.

Kevin M

Posted 2011-07-21T01:20:06.223

Reputation: 2 396

0

Like Zoredache mentioned, a Yubikey works very well. It's a cheap yet sturdy device that you usually keep on your keychain. It emulates a USB keyboard and generates a one-time password when you touch it. A PAM module on your server verifies this password.

I've configured PAM to allow two auth methods since I wanted to still have easy access when I'm on a trusted machine or when using SSH agent forwarding:

  1. Pubkey auth is always allowed.
  2. If you authenticate via password then a Yubikey OTP is required.

For option 2 the Yubikey one-time password simply needs to be appended to the regular password, before pressing enter. I've put a about this reminder in the banner that SSH shows before login, because I'm likely to forget how to enter the Yubikey token.

Martijn Heemels

Posted 2011-07-21T01:20:06.223

Reputation: 465

Asked: 2011-07-21T01:20:06.223

Viewed: 583 times

Active: 2013-07-09T10:29:57.740