Re: service enablement via mail and otp?
From: "Karl E. Jorgensen" <email@example.com>
Subject: Re: service enablement via mail and otp?
Date: Wed, 31 Jul 2002 13:47:16 +0100
> On Wed, Jul 31, 2002 at 02:01:14PM +0200, Marcin Owsiany wrote:
> > On Wed, Jul 31, 2002 at 01:37:30PM +0900, firstname.lastname@example.org wrote:
> > > Hi,
> > >
> > > For some time, I've been toying w/ the idea of putting together
> > > something that would allow me to trigger the starting/stopping of
> > > various services  via a mail message containing some kind of OTP.
> > Recently I have seen someone posting an URL to his program which does
> > something like that. It used GPG.
> > I can't find the post, but I think you could find it looking for
> > keywords like "mail" "execution" "remote" etc..
> > I guess it was this list, but I'm not sure.
> That someone could have been me:
> Note: This is not production quality (yet). I use it myself on a couple
> of machines and find it useful. Testers and bugreports are
> welcome. Eyes on the source to find security weaknesses are in
> high demand. Read the man-page. Caveat Emptor.
This could be nice...too nice for me perhaps (-;
I've downloaded a copy and taken a quick look at the man page -- I
didn't notice anything about mechanisms for dealing w/ replay attacks
in the man page -- are there any?
The reason I like the OTP design for my particular situation is that I
don't want to carry around a PGP key  and I don't want to mess w/
doing some kind of round-trip-challenge-response thing via mail to
deal w/ potential replay attacks.
I'm also more comfortable w/ only allowing limited command execution
-- specifically, only starting a single-session-only sshd (perhaps
stopping sshd too) -- so that worse case, someone can only start sshd
on a machine I'm looking after. Any plans for limiting the commands
to be executed?
 I've got OTP calculators for my PDA which I'm fine w/ carrying.
Actually, what I don't want is to carry around a secret key and a
corresponding device to do the encryption/signing/decryption
(perhaps some day PDAs will do this comfortably). I'm not about
to place a secret key of mine on someone else's machine...