TiVo Web Security and Two-Factor Authentication? 36
mr. mulder asks: "I just attached my TiVo to my home network, giving me the ability to change my recording settings from any browser on my internal network. I would like to take this a step further and enable TiVo config changes from work, but I'm worried about security. SSL would encrypt my traffic, but wouldn't prohibit access. Ideally, I would like an easy, client-less, two-factor authentication solution. Has anyone tried this? Moreover, are there any inexpensive, secure or two-factor authentication products to protect personal/home web URLs? I've considered publishing the page on the web without security, but that leaves me wide-open. I've also considered a VPN solution with my LinkSys Firewall/Router, but it involves a client installation. As an alternative, I've turned to two-factor authentication schemes, including products such as Rainbow's iKey, Authenex's A-Key and RSA's SecureID, but they are too expensive."
Use the recommened solution (Score:3, Informative)
Twostep
Re:Use the recommened solution (Score:1)
Erm (Score:2, Interesting)
Or am I missing something?
Reverse Proxy (Score:4, Informative)
Basic security (Score:3, Interesting)
Re:Basic security (Score:1)
But seriously, it's worthwile to secure it because there are a lot of people out there with a lot of free time on their hands and would screw with his Tivo just for the fun of it. So it would be useless unless it was secure.
Re:Basic security (Score:2)
Really, there's nothing wrong with simple password based authentication as long as it's not sent in the clear. Use SSL to encrypt the connection, then use htaccess to authenticate. Nothing fancy required.
For what it's worth, this kind of setup (auth by simple password, but over an encrypted connection) is the most common way to run SSH as well.
Use a reverse proxy & PAM (Score:4, Interesting)
SSH + Port forwarding? (Score:3, Interesting)
mr.
Re:SSH + Port forwarding? Not that simple (Score:2)
If you are on a typical residential ISP you may not have the option of obtaining multiple IP addresses. This means that from work your only IP connectivity to home is a single IP address and a single port.
If this is the case, you can either forward this port
Re:SSH + Port forwarding? Not that simple (Score:2)
The only outbound port needed from work is port 22 (for ssh), because all the traffic is carried, encrypted, from my local machine inside the firewall to my home gateway/firewall over ssh. It's only at my home gateway/firewall that it's unencrypted and untunneled and forward
Re:SSH + Port forwarding? Not that simple (Score:2)
ssh -L8080:address.of.the.tivo:80 username@public.ip.of.home
then,
open browser go to http://localhost:8080/
the -L says forward requests on my machines port 8080 to port 80 on the tivo. It all goes thru the SSH tunnel.
_IF_ he can SSH to his box on his network at home (assuming the SSH server box can reach his TiVo), firewalls and proxies shouldn't be an issue. Or am I missing something?
mr.
This seems like something for PAM (Score:1)
Re:This seems like something for PAM (Score:3, Informative)
This is the kind of thing the PAM (Pluggable Authentication Modules) is meant to solve. I'm not sure how you would tie it in to your system yet, but some of these Java-centric links might help:
http://java.sun.com/products/jaas/ [sun.com] /jgss/tutorials/ [sun.com]
/jaas/tutorials/ [sun.com]
http://java.sun.com/j2se/1.4.1/docs/guide/security
http://java.sun.com/j2se/1.4.1/docs/guide/security
http://www.pramati.com/docstore/1270002/index.htm [pramati.com]
http://www.oreillynet.com/pub/d/861 [oreillynet.com]
mod_proxy (Score:1)
http://httpd.apache.org/docs/mod/mod_proxy.html
Here's how: (Score:3, Insightful)
ssh -L8888:tivo.ip.address.here:80 username@home.machine.address
open http://localhost:8888/ in your browser.
Is this really that difficult?
Re:Here's how: (Score:1, Funny)
Even that is too much work. (Score:1)
Stupid question - all over the tivoweb docs (Score:5, Interesting)
Set up apache as a reverse proxy and put some authentication on the proxy machine.
If that is not acceptible, use ssh port forwarding to get the job done.
If none of these is acceptible, then use some sort of VPN solution to attach to your home network from outside.
Be realistic, though, you don't double smartcard voice recognized palm scanned passphrase authentication and uncrackable in a trillion years triple supercrypto to do the equivalent of program your vcr from the office. Reverse proxy and an
~GoRK
Re:Stupid question - all over the tivoweb docs (Score:1)
Re:Stupid question - all over the tivoweb docs (Score:2)
If you really must do this consider a one time pad (Score:1)
There's nothing on!!! (Score:1)
Yes, I'm asking the forbidden "why" question. Don't forgive me, just mod me down.
I keep telling myself I want a TIVO, but then I look at the TV Guide and there is a vast wasteland. Almost vaster in its waste factor than the Internet. And you want to combine the two. Wow. What a waste. Literally.
Again, there's nothing on. Figure out another way to use technology to make your life more interesting. TIVO is a failure in that re
Re:There's nothing on!!! (Score:2)
Alternative to hardware token (Score:1)
hosts.allow (Score:1)
use an ssl client certificate (Score:2)
and put your client key pair on a USB keychain
dongle. voila, authenticated access from any
web browser.
Why not use a smart card? (Score:1)
What I did (Score:2)
I made my own CA, and made certs that I can put on other computers I used. (The details of this are discussed extensively online; google for something like "howto ca openssl".)
Then I told Apache to proxy to listen on a separate port (8126), and require a cert signed by my CA. This was forwarded to tivoweb.
Note that you can't easily use name-based virtual hosts instead of a unique port, since the host being requested isn't available until after SSL negotiation is complete.
Most of the boilerplate SSL opt
Squid (Score:2)