If you login to your home computer from an internet cafe there's every chance someone could have logged what you typed. You can use the on screen keyboard to cut that problem, but then also your movements on screen can be tracked.
What can you do?
One time passwords are the answer. You use them once, and then go to the next one in the list.
However, as I found, they are not simple to get working in the first place. So, here's a quick guide.
Don't mess with this too much remotely, or be prepared for it to go wrong because you're messing with ssh login here and if you mess up (don't blame me), you'll be locked out.
/etc/ssh/sshd_config
will need "UsePAM yes" in it
then
/etc/pam.d/sshd
will need to look something like:
auth required pam_nologin.so
auth optional pam_afpmount.so
auth sufficient pam_ppp.so
auth sufficient pam_securityserver.so
auth sufficient pam_unix.so
#auth required pam_deny.so
Basically that will ask for the one time password first and if that fails it will then ask you for your normal password.
You can generate a list of passwords using the gmail-otp package, amoungst others.
The next thing you might need is a putty.exe like java applet in case you can't put a USB stick in the cafe.
Hope this helps
Subscribe to:
Post Comments (Atom)
2 comments:
It's
auth sufficient pam_ppp.so
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
on sabyaron
Also, you can add
auth sufficient pam_ppp.so
to the top of /etc/pam.d/sudo
otherwise as soon as you need to do anything as root you'll expose your password
Post a Comment