Hi, From: "Karl E. Jorgensen" <[EMAIL PROTECTED]> Subject: Re: service enablement via mail and otp? Date: Wed, 31 Jul 2002 13:47:16 +0100
> On Wed, Jul 31, 2002 at 02:01:14PM +0200, Marcin Owsiany wrote: > > On Wed, Jul 31, 2002 at 01:37:30PM +0900, [EMAIL PROTECTED] wrote: > > > Hi, > > > > > > For some time, I've been toying w/ the idea of putting together > > > something that would allow me to trigger the starting/stopping of > > > various services [1] via a mail message containing some kind of OTP. > > > > Recently I have seen someone posting an URL to his program which does > > something like that. It used GPG. > > > > I can't find the post, but I think you could find it looking for > > keywords like "mail" "execution" "remote" etc.. > > > > I guess it was this list, but I'm not sure. > > That someone could have been me: > http://www.karl.jorgensen.com/smash > > Note: This is not production quality (yet). I use it myself on a couple > of machines and find it useful. Testers and bugreports are > welcome. Eyes on the source to find security weaknesses are in > high demand. Read the man-page. Caveat Emptor. This could be nice...too nice for me perhaps (-; I've downloaded a copy and taken a quick look at the man page -- I didn't notice anything about mechanisms for dealing w/ replay attacks in the man page -- are there any? The reason I like the OTP design for my particular situation is that I don't want to carry around a PGP key [1] and I don't want to mess w/ doing some kind of round-trip-challenge-response thing via mail to deal w/ potential replay attacks. I'm also more comfortable w/ only allowing limited command execution -- specifically, only starting a single-session-only sshd (perhaps stopping sshd too) -- so that worse case, someone can only start sshd on a machine I'm looking after. Any plans for limiting the commands to be executed? [1] I've got OTP calculators for my PDA which I'm fine w/ carrying. Actually, what I don't want is to carry around a secret key and a corresponding device to do the encryption/signing/decryption (perhaps some day PDAs will do this comfortably). I'm not about to place a secret key of mine on someone else's machine...
