Re: service enablement via mail and otp?

To: debian-security@lists.debian.org
Subject: Re: service enablement via mail and otp?
From: sen_ml@eccosys.com
Date: Thu, 01 Aug 2002 08:09:31 +0900 (JST)
Message-id: <[🔎] 20020801.080931.55514503@message-id.org>
In-reply-to: <[🔎] 20020731124716.GA16835@e-jorgensen.freeserve.co.uk>
References: <[🔎] 20020731.133730.48534794@message-id.org> <[🔎] 20020731120114.GB2180@melina.ds14.agh.edu.pl> <[🔎] 20020731124716.GA16835@e-jorgensen.freeserve.co.uk>

Hi,

From: "Karl E. Jorgensen" <karl@jorgensen.com>
Subject: Re: service enablement via mail and otp?
Date: Wed, 31 Jul 2002 13:47:16 +0100

> On Wed, Jul 31, 2002 at 02:01:14PM +0200, Marcin Owsiany wrote:
> > On Wed, Jul 31, 2002 at 01:37:30PM +0900, sen_ml@eccosys.com wrote:
> > > Hi,
> > > 
> > > For some time, I've been toying w/ the idea of putting together
> > > something that would allow me to trigger the starting/stopping of
> > > various services [1] via a mail message containing some kind of OTP.
> > 
> > Recently I have seen someone posting an URL to his program which does
> > something like that. It used GPG. 
> > 
> > I can't find the post, but I think you could find it looking for
> > keywords like "mail" "execution" "remote" etc..
> > 
> > I guess it was this list, but I'm not sure.
> 
> That someone could have been me:
>     http://www.karl.jorgensen.com/smash
> 
> Note: This is not production quality (yet). I use it myself on a couple
>       of machines and find it useful. Testers and bugreports are
>       welcome. Eyes on the source to find security weaknesses are in
>       high demand. Read the man-page. Caveat Emptor.

This could be nice...too nice for me perhaps (-;

I've downloaded a copy and taken a quick look at the man page -- I
didn't notice anything about mechanisms for dealing w/ replay attacks
in the man page -- are there any?

The reason I like the OTP design for my particular situation is that I
don't want to carry around a PGP key [1] and I don't want to mess w/
doing some kind of round-trip-challenge-response thing via mail to
deal w/ potential replay attacks.

I'm also more comfortable w/ only allowing limited command execution
-- specifically, only starting a single-session-only sshd (perhaps
stopping sshd too) -- so that worse case, someone can only start sshd
on a machine I'm looking after.  Any plans for limiting the commands
to be executed?


[1] I've got OTP calculators for my PDA which I'm fine w/ carrying.
    Actually, what I don't want is to carry around a secret key and a
    corresponding device to do the encryption/signing/decryption
    (perhaps some day PDAs will do this comfortably).  I'm not about
    to place a secret key of mine on someone else's machine...

Reply to:

Follow-Ups:
- Re: service enablement via mail and otp?
  - From: "Karl E. Jorgensen" <karl@jorgensen.com>

References:
- service enablement via mail and otp?
  - From: sen_ml@eccosys.com
- Re: service enablement via mail and otp?
  - From: Marcin Owsiany <porridge@debian.org>
- Re: service enablement via mail and otp?
  - From: "Karl E. Jorgensen" <karl@jorgensen.com>

Prev by Date: Re: Some more port closing questions
Next by Date: Re: SunRPC Vulnerability
Previous by thread: Re: service enablement via mail and otp?
Next by thread: Re: service enablement via mail and otp?
Index(es):
- Date
- Thread