Keylogger Paranoia

posted: April 20th, 2008

I want a network that is reasonably secure.For the past few years my requirement has been for access to my systems to be resistant to keyloggers and brute force attacks. My second requirement is that this needs to be available when travelling, ie in hostile computing environments.

The Majority of the systems I run are Linux based systems so for the most part I have been trying to secure SSH sessions, therefore I purchased a Rainbow I-key 3000 hoping that I could authenticate my ssh sessions using a ‘keylogger proof’ smart card.

I spent ages trying to get ssh-agent to use a smartcard, actually I think there is still a bug in openssh’s bugtrac for that , to no avail. I even tried recompiling openssh but did not have any success. I gave up on that and now just use a standard ssh key.

Last year I stumbled upon Wikid but since I want to secure two hosts on insecure networks I will need to create a vpn between the two hosts, which creates some other challenges.

As of 2007 I have outsourced a lot of our systems to SAAS providers, for example Harvest for our time tracking / billing, therefore the shape of the systems I protect has changed somewhat, namely I don’t need to worry about the underlying system nor the application, just access to the data itself, which is serious enough. With that in consideration I use Openid to authenticate to these services, using a SSL certificate, which works well except it does not travel well (or at all!).

To sum it all up after 5 years I have not acheived any of my goals and I don’t really have too many options either, which is quite disappointing! Either I implement 2 factor authentication system like wikid or RSA securid or review my requirements.