[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to ssh to a linux box from an internet cafe

On Fri, Jul 27, 2007 at 08:34:08AM -0400, Douglas Allan Tutty wrote:
> On Fri, Jul 27, 2007 at 02:02:36AM -0400, Kevin Mark wrote:
> > On Wed, Jul 25, 2007 at 05:14:22PM +0300, Nick Demou wrote:
> > > I'll soon be on vacations without my PC. I believe that internet
> > > access from an internet cafe will be my best option. If things go for
> > > the worse how can I ssh to my debian server?
> > > I suppose that a PC in most internet cafes will be willing to download
> > > and run putty.exe but am I right? If not is there any other option?
> > Just to mention the obvious, most access is through client-server
> > programs like ssh. So, before you leave, you need to install the ssh
> > server on your home machine, then test it with the ssh client program on
> > localhost first and if you have a chance, from a remote host. If not a
> > client-server program, then maybe a web-based control panel, although
> > then you have to install apache and make sure that works remotely then.
> The other issue to consider is the method you use to authenticate from
> the cafe.  Assume that anything you type in (or attach via USB) will
> remain on the cafe's box.  You may want to set up a series of one-time
> passwords for ssh.  I've never ssh'd in from the internet so I haven't
> needed the feature but I think its there.

on the assumption that the cafe box is rooted, add an abstraction
layer. Get a shell account somewhere (google free shells) and activate
it (usually only a few dollars) so you can use the network tools. Then
setup pubkey authentication from that shell account to your box (maybe encrypt the
keys too with a one time pgp key, probably do the encryption on your
local box so that its not done on an account of unknown
security). Then log into the shell account from the cafe box and then
from the shell account ssh in to your system. First thing after you
log in, delete the pubkey used to get access. That makes it a one time
transaction. When you're done with the session, delete the keys from
the shell account and then cancel the shell account. Done.  

Any keylogger on the cafe box only gets access to your login to the
shell account. Everything else is safe from that cafe box. Of course,
whatever you type in the cafe box will be snopped, so you'll want to
avoid subsequently using passwords for stuff on your box, if possible,
but the keys won't be accessible to that cafe box. Then when you
delete the ssh keys from the shell account, there is no longer  any
access to your box from that account. The cancellation of the  shell
account is probably not needed, but is the right thing to do since we
assume that account is compromised. 

hmmm... as i review this, it also occurs to me that just putting  a
set of keys on a floppy, or usb key or whatever is fine provided the
first thing you do when you login using that key is delete it from the
.ssh/authorised_keys file. Then you are stuck at the one session. 

You could even create a single-use user for this purpose. Set up the
user with whatever stuff you need in sudo (the sudo password will get
snooped, but that's okay) and put one key in the authorised-keys
file. write a custom .bashrc (or is it .profile? i can never remember)
that will delete the authorised_keys file upon login. That's it. You
get to use it once and its done. I like that one. Anyone care to
comment on it?


Attachment: signature.asc
Description: Digital signature

Reply to: