TiVo Web Security and Two-Factor Authentication?

mr. mulder asks: "I just attached my TiVo to my home network, giving me the ability to change my recording settings from any browser on my internal network. I would like to take this a step further and enable TiVo config changes from work, but I'm worried about security. SSL would encrypt my traffic, but wouldn't prohibit access. Ideally, I would like an easy, client-less, two-factor authentication solution. Has anyone tried this? Moreover, are there any inexpensive, secure or two-factor authentication products to protect personal/home web URLs? I've considered publishing the page on the web without security, but that leaves me wide-open. I've also considered a VPN solution with my LinkSys Firewall/Router, but it involves a client installation. As an alternative, I've turned to two-factor authentication schemes, including products such as Rainbow's iKey, Authenex's A-Key and RSA's SecureID, but they are too expensive."

Use the recommened solution

[TwoStep]

Try using reverse proxying through apache. I am unsure where the docs were on how to set it up, but it was pretty easy.

Twostep

Re:Use the recommened solution

[Specialist2k]

An Apache server with mod_proxy [apache.org], HTTP basic authentication [apache.org] and mod_ssl [modssl.org] should do the trick.

Erm

[Anonymous Coward]

Can you VPN/SSH/Whatever to another machine on the network and go from there?
Or am I missing something?

Reverse Proxy

[Samus]

I may be wrong on this but couldn't you place Apache in front of the tivo with a proxy pass directive. I would think that you could even have it do basic authentication on that directory. Couple that with ssl and you should have a pretty decent secure system. The only problem that you might run into is if the Tivo pages generate absolute URLs with the server name in them. Worse case scenario is you write a php, perl or jsp front end that makes calls back to the Tivo web server.

Basic security

[hafree]

Why not just use htaccess to password-protect the page. If that's not an option, keep that URL internal and setup a proxy to it using squid or something similar. This is your digital VCR, not corporate espionage prevention; SecureID and other similar options are a bit absurd to even consider for such an application when a simple password will suffice.

Re:Basic security

[gmiller123456]

Actually, I'd rather have my corporate system broken into than my Tivo, it's much more valuable. That's not a joke.

But seriously, it's worthwile to secure it because there are a lot of people out there with a lot of free time on their hands and would screw with his Tivo just for the fun of it. So it would be useless unless it was secure.

Re:Basic security

[divbyzero]

Really, there's nothing wrong with simple password based authentication as long as it's not sent in the clear. Use SSL to encrypt the connection, then use htaccess to authenticate. Nothing fancy required.

For what it's worth, this kind of setup (auth by simple password, but over an encrypted connection) is the most common way to run SSH as well.

Use a reverse proxy & PAM

[Hanashi]

Just an idea... Put a reverse proxy in front of the Tivo. Don't let the Tivo talk to machines outside your local network, just internal machines (including the proxy). Use SKey on the proxy for free easy 2 factor authentication. If you use apache, you can set it up to use PAM (pluggable authentication modules), and get an SKey PAM module for it. I know that all these pieces exist, but I've never used Apache w/PAM, nor have I used the SKey PAM module. Should be a good starting point, though.

SSH + Port forwarding?

[mrpull]

Can you SSH from work to any host on your home network? In that case, check out the man pages for the syntax for port forwarding and your problem is solved.

mr.

Re:SSH + Port forwarding? Not that simple

[Paul Carver]

Just because you can SSH doesn't necesarily mean the problem is solved. If your firewall at work is restrictive, it may allow port 22 outbound but nothing else. In particular, ports 80 and 443 may be proxied rather than permitted through the firewall.

If you are on a typical residential ISP you may not have the option of obtaining multiple IP addresses. This means that from work your only IP connectivity to home is a single IP address and a single port.

If this is the case, you can either forward this port

Re:SSH + Port forwarding? Not that simple

[rthille]

What I do is have my work machine ssh to my home gateway, and my 'local' work machine forwards port 2080 to my 'tivo.thille.org' machine inside my firewall at home. Then on my work machine, the url is something like 127.0.0.1:2080/...

The only outbound port needed from work is port 22 (for ssh), because all the traffic is carried, encrypted, from my local machine inside the firewall to my home gateway/firewall over ssh. It's only at my home gateway/firewall that it's unencrypted and untunneled and forward

Re:SSH + Port forwarding? Not that simple

[mrpull]

I beg to differ. Consider this:

ssh -L8080:address.of.the.tivo:80 username@public.ip.of.home
then,
open browser go to http://localhost:8080/

the -L says forward requests on my machines port 8080 to port 80 on the tivo. It all goes thru the SSH tunnel.

_IF_ he can SSH to his box on his network at home (assuming the SSH server box can reach his TiVo), firewalls and proxies shouldn't be an issue. Or am I missing something?

mr.

This seems like something for PAM

[TomsFingerKeys]

I've been looking at this kind of thing recently myself, but specifically in the Java world for JSPs. Maybe some of these links will help? http://java.sun.com/products/jaas/ http://java.sun.com/j2se/1.4.1/docs/guide/security /jgss/tutorials/ http://java.sun.com/j2se/1.4.1/docs/guide/security /jaas/tutorials/ http://www.pramati.com/docstore/1270002/index.htm http://www.oreillynet.com/pub/d/861

Re:This seems like something for PAM

[TomsFingerKeys]

(Reposted to fix formatting)

This is the kind of thing the PAM (Pluggable Authentication Modules) is meant to solve. I'm not sure how you would tie it in to your system yet, but some of these Java-centric links might help:

http://java.sun.com/products/jaas/ [sun.com]
http://java.sun.com/j2se/1.4.1/docs/guide/security /jgss/tutorials/ [sun.com]
http://java.sun.com/j2se/1.4.1/docs/guide/security /jaas/tutorials/ [sun.com]
http://www.pramati.com/docstore/1270002/index.htm [pramati.com]
http://www.oreillynet.com/pub/d/861 [oreillynet.com]

mod_proxy

[gmiller123456]

Here's a link to the mod_proxy module the first couple of posts mention, I recommend you use it (it's what I use for the same purpose!):

http://httpd.apache.org/docs/mod/mod_proxy.html

Here's how:

[zsmooth]

ssh -L8888:tivo.ip.address.here:80 username@home.machine.address

open http://localhost:8888/ in your browser.

Is this really that difficult?

Re:Here's how:

[Anonymous Coward]

Its only dufficult if you are a complete MORON.

Even that is too much work.

[waffle zero]

I'd just ssh in and use lynx.

Stupid question - all over the tivoweb docs

[GoRK]

This is covered in insane detail in the tivoweb docs. You have three options:

Set up apache as a reverse proxy and put some authentication on the proxy machine.

If that is not acceptible, use ssh port forwarding to get the job done.

If none of these is acceptible, then use some sort of VPN solution to attach to your home network from outside.

Be realistic, though, you don't double smartcard voice recognized palm scanned passphrase authentication and uncrackable in a trillion years triple supercrypto to do the equivalent of program your vcr from the office. Reverse proxy and an .htaccess file will do you fine.

~GoRK

Re:Stupid question - all over the tivoweb docs

[An. (Coward)]

Be realistic, though, you don't double smartcard voice recognized palm scanned passphrase authentication and uncrackable in a trillion years triple supercrypto to do the equivalent of program your vcr from the office.

But I don't want some hacker breaking into it and recording stuff to make TiVo think I'm gay!

Re:Stupid question - all over the tivoweb docs

[GoRK]

Haha; You fool! TiVo already knows you're gay!

If you really must do this consider a one time pad

[SouthSideNick]

I think the apache proxy-ssl-htaccess solution is the best. But if you really want a no cost two-factor system (for curiosity's sake or to prevent us from knowing what pr0n is on your Tivo) consider rolling your own security with a one-time pad. Here [ibm.com] is a nice article on the subject at IBM. If you get something like this working, let us know.

There's nothing on!!!

[moehoward]

What are you going to record? And why would you suddenly have the urge from work.

Yes, I'm asking the forbidden "why" question. Don't forgive me, just mod me down.

I keep telling myself I want a TIVO, but then I look at the TV Guide and there is a vast wasteland. Almost vaster in its waste factor than the Internet. And you want to combine the two. Wow. What a waste. Literally.

Again, there's nothing on. Figure out another way to use technology to make your life more interesting. TIVO is a failure in that re

Re:There's nothing on!!!

[Cro Magnon]

There's plenty on! Yes, 95% of the shows on TV are total crap, but the other 5% is more than enough to fill a 60 hour Tivo.

Alternative to hardware token

[soramimicake]

Not exact two-factor, but how about one time passwords [google.com] if you are afraid of keyboard sniffers?

hosts.allow

[MiTEG]

Something like hosts.allow would be the simplest approach if you're on a static IP. Depends on how much you trust your co-workers though.

use an ssl client certificate

[aminorex]

protect the pages with client certificate authent.,
and put your client key pair on a USB keychain
dongle. voila, authenticated access from any
web browser.

Why not use a smart card?

[Quazimofo]

Just a thought. If you really need 2-factor authentication, setup the reverse proxy (unless you can get TiVo to require SSL client-side authentication). Pick up a smart card and reader from http://www.cardstore.slb.com/ [slb.com]. I recommend the CyberFlex E-gate for this as it will reduce you overall costs and give you MAXIMUM convenience. Once you get this all set up (you may want to visit the M.U.S.C.L.E. [linuxnet.com] site if you're using Linux or Mac OS X or other un*x variants), go to your favorite free-cert provider lik

What I did

[Piquan]

I made my own CA, and made certs that I can put on other computers I used. (The details of this are discussed extensively online; google for something like "howto ca openssl".)

Then I told Apache to proxy to listen on a separate port (8126), and require a cert signed by my CA. This was forwarded to tivoweb.

Note that you can't easily use name-based virtual hosts instead of a unique port, since the host being requested isn't available until after SSL negotiation is complete.

Most of the boilerplate SSL opt

Squid

[Baloo Ursidae]

Why not just download and install Squid [squid-cache.org] and enable authentication? Then just put that sucker out on your DMZ and you have authenticated web browsing to your local network.