Very Computer

You did't really mean DOS, I see...

Quote:>   Before, I would just telnet in, but now i realize how easy it is to run
> packet sniffers and grab passwords from people doing just what i was doing.
> How can i make the linux box only offer login ability through an encrypted
> connection?  

Install ssh (v1 would be fine, i.e 1.2.26) on the linux box, and ttssh
on Win9x.  Works great.  With the latest ttssh, if you have an X server
(eXceed or whatever) on 'doze you can run secure X sessions too.
http://www.zip.com.au/~roca/ttssh.html

ssh has its own usenet group, so raise any detailed questions there:
comp.security.ssh

It's 18 Jan 99  16:16:09,

discussion of secure telnet from dos box to linux box

 ch> Before, I would just telnet in, but now i realize how easy it is to
 ch> run packet sniffers and grab passwords from people doing just what i
 ch> was doing.  How can i make the linux box only offer login ability
 ch> through an encrypted connection?  I don't want passwords from login
 ch> prompts or su commands to go over the network as plain text, as i think
 ch> thats how the computer was comprimised the first time. What progam
 ch> should I then use to remotely login to the linux box.  I need to know
 ch> what to use when logging in from my Win98 computer, and what to use
 ch> when logging in from other linux computers.
 ch> If it helps any, my hosts.deny and hosts.allow look like this:

Install SSH on the Linux box and configure it to accept logins only from
where you want (sshd runs as a daemon, so hosts.allow etc won't help).

On the Windows client, you can pay for commercial SSH clients, but for a
freebie, locate Tera Term Pro (can find it on winfiles.com), follow the
link to the home page and download the latst version.  From the tera
Term home page, you can access a link to an SSH extension, which will
turn it into a full blown SSH client.  The setup works quite well. :-)

Then, it's up to you whether you want to continue using (encrypted)
passwd authentication on your Linux box, or configure sshd to only
accept a key system. :)  With this configuration, sshd won't accept a
login, unless you possess the required key pair for both your machine
and the Linux box. :)

At this point, you can safely kill off the telnet and rsh services. :)

However, you still have to watch what else you run on your Linux box.
ssh does nothing to guard against buffer overflow exploits and the like
against other daemons running on your box. :)

.. Do computers on ships run Microsoft Portholes?
--
|Fidonet:  Tony Langdon 3:633/284.18

|
| Standard disclaimer: The views of this user are strictly his own.

Quote:> Install SSH on the Linux box and configure it to accept logins only from
> where you want

With respect, I said that quite a while back on this thread, along with
recommending the latest ttssh (1.4), which also supports X forwarding.

Quote:> (sshd runs as a daemon, so hosts.allow etc won't help).

That's a confusing and inaccurate statement.  See below.

Quote:> However, you still have to watch what else you run on your Linux box.
> ssh does nothing to guard against buffer overflow exploits and the like
> against other daemons running on your box. :)

That's very true.

Now, about this hosts.allow thing.

hosts.allow/deny is a mechanism supported by libwrap.  You certainly
_can_ make use of that from sshd, and in one of two ways.

1. (recommended): build sshd using the --with-libwrap=/path/to/libwrap
option, then sshd (started up at initialisation time) will call the
libwrap functions to find out if it should allow the incoming call.

2. (feasible, and I've seen a few recommendations for it): have sshd
started per-call from inetd via tcp-wrappers.  Then tcp wrappers will
apply the libwrap rules to find out whether to start up sshd.

Either will do; you don't need both.  As i say, I recommend option (1).

[crossposted and f'ups set]

As others have said, SSH is a good solution. SRP (Secure Remote
Protocol) is another solution, at least for protection from password
sniffing. More information on SRP can be found at

        http://srp.stanford.edu/srp/

#include <stddisclaim.h> /* I speak only for myself, not my employers. */
--
   Jeff Marker                           US West !NTERACT Internet Services
   Security Grue                         600 Stinson Blvd.

      "Nowhere is the meaning of life so evident as in the floating disk."

Install SRP on your Linux box, and use one of the free SRP Windows
clients (I'd recommend TeraTermPro 2.2+SRP or Kermit95) on your Win98
box.  You might want to add ssh as well, but be sure to disable
cleartext password authentication when you're done!

  http://srp.stanford.edu/srp/
  http://www.ssh.fi/
--


  Phone: (650) 723-1565             mouse can crash Windows with one click."
   http://www-cs-students.stanford.edu/~tjw/   http://srp.stanford.edu/srp/

As several others have already said, ssh is the program you want.  The
web page below has links to three ssh clients for Windows, of which I
would recommend PuTTY most highly.  ssh for Linux can be found from
the usual sources (sunsite, etc.).

http://excession.ucam.org/~jtjm2

Note that the clients on this page may be used outside the US without
legal difficulty.  Those living inside the US should make certain they
have obtained the appropriate RSA libraries, to avoid infringing a
rather pathetic US Patent.

(And don't anyone get me started on US Export laws... ;-) )
--

Trinity Hall, Cambridge |  Excession: http://excession.ucam.org
"For every complex problem, there is a solution that is simple,
neat, and wrong."  (H. L. Mencken)