North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

external access and passwd mgmt (was Re: SSH on Cisco ...)

  • From: Bennett Todd
  • Date: Sun Apr 30 16:52:17 2000

2000-04-29-14:38:59 Roeland Meyer:
> WRT: external access

These days, what I'd recommend is issuing laptops. If a larger
screen isn't needed for any other reason, a Sony Vaio Picturebook
would be just dandy; it's small enough to be with you nearly all the
time. Secure the _heck_ out of them, and have the only remote-access
provision be to use them. Define them to lie within your security
perimeter, and plan your trust requirements accordingly. E.g. the
credentials that are stored on a given laptop need to be clearly
identified so they can be revoked if the laptop is lost. Given a
laptop that will always be used for the external access, techniques
like ssh and vpn and whatnot work way better. For the rabidly
cautious, prohibit "nap" mode, and make sure the creds are stored
encrypted, with a passphrase that must be entered by hand. Maybe use
an encrypted filesystem if there's no other easy way to do the deed.

> WRT: Passwd diversification

GNU Keyring <URL:> is your friend.
Store passwords in your Palm, with no fears for the security of the
backups or the loss of the Palm. And it can generate nice passwords,
too. Makes it _easy_ to use really strong (computer-generated random
strings from nearly all the printables, you pick the length) and
distinct passwords for every distinct security domain, including
every separate website that you register on.


Attachment: pgp00000.pgp
Description: PGP signature