[28447] in North American Network Operators' Group
external access and passwd mgmt (was Re: SSH on Cisco ...)
daemon@ATHENA.MIT.EDU (Bennett Todd)
Sun Apr 30 16:51:28 2000
Date: Sun, 30 Apr 2000 16:48:28 -0400
From: Bennett Todd <bet@rahul.net>
To: "Roeland Meyer (E-mail)" <rmeyer@mhsc.com>
Cc: nanog@merit.edu
Message-ID: <20000430164828.H4416@rahul.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="a8sldprk+5E/pDEv"
In-Reply-To: <006401bfb20a$2f95b260$eaaf6cc7@PEREGRIN>; from rmeyer@mhsc.com on Sat, Apr 29, 2000 at 11:38:59AM -0700
Errors-To: owner-nanog-outgoing@merit.edu
--a8sldprk+5E/pDEv
Content-Type: text/plain; charset=us-ascii
2000-04-29-14:38:59 Roeland Meyer:
> WRT: external access
These days, what I'd recommend is issuing laptops. If a larger
screen isn't needed for any other reason, a Sony Vaio Picturebook
would be just dandy; it's small enough to be with you nearly all the
time. Secure the _heck_ out of them, and have the only remote-access
provision be to use them. Define them to lie within your security
perimeter, and plan your trust requirements accordingly. E.g. the
credentials that are stored on a given laptop need to be clearly
identified so they can be revoked if the laptop is lost. Given a
laptop that will always be used for the external access, techniques
like ssh and vpn and whatnot work way better. For the rabidly
cautious, prohibit "nap" mode, and make sure the creds are stored
encrypted, with a passphrase that must be entered by hand. Maybe use
an encrypted filesystem if there's no other easy way to do the deed.
> WRT: Passwd diversification
GNU Keyring <URL:http://gnukeyring.sourceforge.net/> is your friend.
Store passwords in your Palm, with no fears for the security of the
backups or the loss of the Palm. And it can generate nice passwords,
too. Makes it _easy_ to use really strong (computer-generated random
strings from nearly all the printables, you pick the length) and
distinct passwords for every distinct security domain, including
every separate website that you register on.
-Bennett
--a8sldprk+5E/pDEv
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5DJwcL6KAps40sTYRAdbWAJsFxM5P6LWCjc7Kz9q3Utu4z60uhwCghjGA
yGh2XLKsmx8KLgPHCvcLlwU=
=k5+t
-----END PGP SIGNATURE-----
--a8sldprk+5E/pDEv--
