On Fri, Jul 27, 2007 at 08:34:08AM -0400, Douglas Allan Tutty wrote: > On Fri, Jul 27, 2007 at 02:02:36AM -0400, Kevin Mark wrote: > > On Wed, Jul 25, 2007 at 05:14:22PM +0300, Nick Demou wrote: > > > I'll soon be on vacations without my PC. I believe that internet > > > access from an internet cafe will be my best option. If things go for > > > the worse how can I ssh to my debian server? > > > I suppose that a PC in most internet cafes will be willing to download > > > and run putty.exe but am I right? If not is there any other option? > > Just to mention the obvious, most access is through client-server > > programs like ssh. So, before you leave, you need to install the ssh > > server on your home machine, then test it with the ssh client program on > > localhost first and if you have a chance, from a remote host. If not a > > client-server program, then maybe a web-based control panel, although > > then you have to install apache and make sure that works remotely then. > > The other issue to consider is the method you use to authenticate from > the cafe. Assume that anything you type in (or attach via USB) will > remain on the cafe's box. You may want to set up a series of one-time > passwords for ssh. I've never ssh'd in from the internet so I haven't > needed the feature but I think its there. on the assumption that the cafe box is rooted, add an abstraction layer. Get a shell account somewhere (google free shells) and activate it (usually only a few dollars) so you can use the network tools. Then setup pubkey authentication from that shell account to your box (maybe encrypt the keys too with a one time pgp key, probably do the encryption on your local box so that its not done on an account of unknown security). Then log into the shell account from the cafe box and then from the shell account ssh in to your system. First thing after you log in, delete the pubkey used to get access. That makes it a one time transaction. When you're done with the session, delete the keys from the shell account and then cancel the shell account. Done. Any keylogger on the cafe box only gets access to your login to the shell account. Everything else is safe from that cafe box. Of course, whatever you type in the cafe box will be snopped, so you'll want to avoid subsequently using passwords for stuff on your box, if possible, but the keys won't be accessible to that cafe box. Then when you delete the ssh keys from the shell account, there is no longer any access to your box from that account. The cancellation of the shell account is probably not needed, but is the right thing to do since we assume that account is compromised. hmmm... as i review this, it also occurs to me that just putting a set of keys on a floppy, or usb key or whatever is fine provided the first thing you do when you login using that key is delete it from the .ssh/authorised_keys file. Then you are stuck at the one session. You could even create a single-use user for this purpose. Set up the user with whatever stuff you need in sudo (the sudo password will get snooped, but that's okay) and put one key in the authorised-keys file. write a custom .bashrc (or is it .profile? i can never remember) that will delete the authorised_keys file upon login. That's it. You get to use it once and its done. I like that one. Anyone care to comment on it? A
Attachment:
signature.asc
Description: Digital signature