This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Securing Sentinel on Multi-User machines

Dear List,

does anybody knows some hints for securing the SSH Sentinel software a bit more on a multi-user system?

The problem is that the SSH Sentinel:
- does not allow a user-based configuration, the configuration can just be done by administrator and is system wide
- so every authenticated user can start the vpn connection with the key of another user e.g. if he just can auth himself on the box!

So, does anybody know some hints how to secure SSH sentinel a bit more? Maybe that the user is prompted for the x.509-password when starting the connection or something like that?!?

Thanks a lot!

Matthias

This thread was automatically locked due to age.

Parents

0 Simon Shaw over 21 years ago

Create a user on the network or the box and only give that user/group permissions to execute the EXE?
Cancel
Vote Up 0 Vote Down

Cancel
0 MatthiasFleschuetz over 21 years ago in reply to Simon Shaw

[ QUOTE ]
Create a user on the network or the box and only give that user/group permissions to execute the EXE?

[/ QUOTE ]

In my eyes thats not a pretty solution as it is one more admin-task again on the clients...it also may bring up a lot of errors when the sentinel tries to start...

Another thing is that I think this might not work as SSH Sentinel is running as a system-user...so the user himself is not executing the ssh sentinel.exe!

Matthias
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 21 years ago in reply to MatthiasFleschuetz

Theres no way of doing this accept via 3rd party apps AFAIK.
Cancel
Vote Up 0 Vote Down

Cancel
0 LoosInt over 21 years ago in reply to Simon Shaw

Hm, solved this with Smartcards.
So only the User with the Smartcard and a proper key can login via vpn.
Maybe you could think in this way for a solution ?

Thomas
Cancel
Vote Up 0 Vote Down

Cancel
0 MatthiasFleschuetz over 21 years ago in reply to LoosInt

[ QUOTE ]
Hm, solved this with Smartcards.
So only the User with the Smartcard and a proper key can login via vpn.
Maybe you could think in this way for a solution ?

[/ QUOTE ]

This sounds very good for me. Can you say which Smartcards and Reader do you use for it?
Does SSH Sentinel accept Smartcards? Is there any howto for a configuration this way?

Thanks a lot,

Matthias
Cancel
Vote Up 0 Vote Down

Cancel
0 LoosInt over 21 years ago in reply to MatthiasFleschuetz

yes the Sentinel works with Smartcards. Or better a "Agent" called SSH-Accession does. (installed with SSH-Sentinel)
We use Readers and Cards from Kobil (www.kobil.de).
They provide Cards, Cardreaders, Software for Cardmanagement....
I see you are from Munich. A Reseller of this Kobil-Stuff is from Regensburg. (Maybe you have a look at www.bsp-network.de)

Greetings
Thomas
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LoosInt over 21 years ago in reply to MatthiasFleschuetz

yes the Sentinel works with Smartcards. Or better a "Agent" called SSH-Accession does. (installed with SSH-Sentinel)
We use Readers and Cards from Kobil (www.kobil.de).
They provide Cards, Cardreaders, Software for Cardmanagement....
I see you are from Munich. A Reseller of this Kobil-Stuff is from Regensburg. (Maybe you have a look at www.bsp-network.de)

Greetings
Thomas
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 JonathanCraft over 21 years ago in reply to LoosInt

Hi, we have solved this issue by use of iKey's from http://uk.rainbow.com/products/ikey/ikey3000.asp, its just mater of installing the certificate on the key assigning a pin number to it and then plugging it into a free USB port. When a user without that ikey tries to connect SSH does not have the required certificate to join. Furthermore you could enable L2TP over IPSec which would require the user to have a username and password as well as the certificate.

My advice though would be to try the key soloution, it does not require a seperate reader and they work out at about 35-40GBP.

Jonathan
Cancel
Vote Up 0 Vote Down

Cancel