Contributed by grey on from the useful-DIY-project dept.
You can read the document here: http://www.gcrc.upenn.edu/~steve/pennkey_wireless.html
It appears as though Steven did this with OpenBSD 3.2, and the kerberos information is aimed towards the University of Pennsylvania's network. However, it is still a useful guide complete with pragmatic hardware recommendations; all good things if you are looking to implement this sort of thing yourself.
(Comments are closed)
By Chas (12.217.90.112) on
I've only done basic setup of WLANs and I have a few questions:
Is it correct that you can either use ssh/authpf, or Kerberos? The document seems to indicate that both are not required.
Can Putty be used as the ssh client, rather than the client used in the document?
Putty allows port forwarding. Can I dispense with authpf, allow only ssh to the gateway on the wlan, and forward only a web proxy port, perhaps using squid or fwtk-httpgw? This seems to be much simpler, if somewhat limited.
Is the problem with the incompatible Kerberos key format still in effect with 3.5?
Are either of the techniques presented in the document at all vulnerable to wardriving/sniffing? No problems with WEP?
Thanks for helping out a wlan neophyte.
Comments
By Christopher (65.92.48.36) christopher@themanor.net on
Kerberos is used in place of local passwords, with ssh being the mechanism to login. 3.5 ships with an openssh capable of direct gssapi(kerberos) logins via ssh, so you no longer need to provide a password to the remote machine. (man sshd_config : GSSAPIAuthentication)
Can Putty be used as the ssh client, rather than the client used in the document?
Sure.
Putty allows port forwarding. Can I dispense with authpf, allow only ssh to the gateway on the wlan, and forward only a web proxy port, perhaps using squid or fwtk-httpgw? This seems to be much simpler, if somewhat limited.
Depends on whether you want to give shell accounts to your users. But now you have to train your users how to set up forwarding with ssh. And you only have proxy for web ... no mail, no private vpn.
Is the problem with the incompatible Kerberos key format still in effect with 3.5?
Shouldn't be. 3.2 had heimdal 0.4e, lots has changed since then. 3.4/3.5 both have 0.6.0.
Are either of the techniques presented in the document at all vulnerable to wardriving/sniffing? No problems with WEP?
The usual suspects still exist ... man-in-the-middle on ssh unless you already have the host key, and you still have to configure transport security for your traffic, ipsec is built into OpenBSD, and winXP has tolerable support for it as well.
WEP isn't worth the performance hit. Use ipsec and be guaranteed of end-to-end security on systems you control. Let the wireless do what its supposed to do: pass packets.
Comments
By Anonymous Coward (212.202.169.152) on
Comments
By Simon (217.157.132.75) on
By Juanjo (81.203.204.89) on http://blackshell.usebox.net/
I've noticed some problems. PuTTY seems unable to log in an account without shell (eg. you're making a ssh tunnel with /sbin/nologin). That's a problem if you wanna let your users make ssh tunnels without login.
There's a nice win32 port of openssh, I cannot remember the URL (ask google).
Putty allows port forwarding. Can I dispense with authpf, allow only ssh to the gateway on the wlan, and forward only a web proxy port, perhaps using squid or fwtk-httpgw? This seems to be much simpler, if somewhat limited.
I'm using kinda that configuration (squid listening 127.0.0.1 and ssh tunnels from wifi lan), but without PuTTY for the described problem.
By James Holmes (142.161.30.213) on