Slashdot Mirror

← Back to Stories (view on slashdot.org)

TiVo Web Security and Two-Factor Authentication?

Posted by Cliff on from the hardening-your-PVR dept.

mr. mulder asks: "I just attached my TiVo to my home network, giving me the ability to change my recording settings from any browser on my internal network. I would like to take this a step further and enable TiVo config changes from work, but I'm worried about security. SSL would encrypt my traffic, but wouldn't prohibit access. Ideally, I would like an easy, client-less, two-factor authentication solution. Has anyone tried this? Moreover, are there any inexpensive, secure or two-factor authentication products to protect personal/home web URLs? I've considered publishing the page on the web without security, but that leaves me wide-open. I've also considered a VPN solution with my LinkSys Firewall/Router, but it involves a client installation. As an alternative, I've turned to two-factor authentication schemes, including products such as Rainbow's iKey, Authenex's A-Key and RSA's SecureID, but they are too expensive."

36 comments

  1. Use the recommened solution by TwoStep · · Score: 2, Informative

    Try using reverse proxying through apache. I am unsure where the docs were on how to set it up, but it was pretty easy.

    Twostep

    --
    There are 10 different types of people in this world... those who understand binary, and those who don't.
    1. Re:Use the recommened solution by Specialist2k · · Score: 1

      An Apache server with mod_proxy, HTTP basic authentication and mod_ssl should do the trick.

  2. Erm by Anonymous Coward · · Score: 2, Interesting

    Can you VPN/SSH/Whatever to another machine on the network and go from there?
    Or am I missing something?

  3. Reverse Proxy by Samus · · Score: 4, Informative

    I may be wrong on this but couldn't you place Apache in front of the tivo with a proxy pass directive. I would think that you could even have it do basic authentication on that directory. Couple that with ssl and you should have a pretty decent secure system. The only problem that you might run into is if the Tivo pages generate absolute URLs with the server name in them. Worse case scenario is you write a php, perl or jsp front end that makes calls back to the Tivo web server.

    --
    In Republican America phones tap you.
  4. Basic security by hafree · · Score: 2, Interesting

    Why not just use htaccess to password-protect the page. If that's not an option, keep that URL internal and setup a proxy to it using squid or something similar. This is your digital VCR, not corporate espionage prevention; SecureID and other similar options are a bit absurd to even consider for such an application when a simple password will suffice.

    1. Re:Basic security by gmiller123456 · · Score: 1

      Actually, I'd rather have my corporate system broken into than my Tivo, it's much more valuable. That's not a joke.

      But seriously, it's worthwile to secure it because there are a lot of people out there with a lot of free time on their hands and would screw with his Tivo just for the fun of it. So it would be useless unless it was secure.

    2. Re:Basic security by divbyzero · · Score: 1


      Really, there's nothing wrong with simple password based authentication as long as it's not sent in the clear. Use SSL to encrypt the connection, then use htaccess to authenticate. Nothing fancy required.

      For what it's worth, this kind of setup (auth by simple password, but over an encrypted connection) is the most common way to run SSH as well.

      --
      But my grandest creation, as history will tell,
      Was Firefrorefiddle, the Fiend of the Fell.
  5. Use a reverse proxy & PAM by Hanashi · · Score: 3, Interesting

    Just an idea... Put a reverse proxy in front of the Tivo. Don't let the Tivo talk to machines outside your local network, just internal machines (including the proxy). Use SKey on the proxy for free easy 2 factor authentication. If you use apache, you can set it up to use PAM (pluggable authentication modules), and get an SKey PAM module for it. I know that all these pieces exist, but I've never used Apache w/PAM, nor have I used the SKey PAM module. Should be a good starting point, though.

    --
    Check out my eclectic infosec blog at InfoSecPotpou
  6. SSH + Port forwarding? by mrpull · · Score: 2, Interesting

    Can you SSH from work to any host on your home network? In that case, check out the man pages for the syntax for port forwarding and your problem is solved.

    mr.

  7. come on by Anonymous Coward · · Score: 0

    reverse proxy, ssh port forwarding, openbsd/authpf port forwarding, ip-restricted port forwarding, etc.

    1. Re:come on by matt_king · · Score: 0

      its only easy if you already know how to do it

  8. This seems like something for PAM by TomsFingerKeys · · Score: 1

    I've been looking at this kind of thing recently myself, but specifically in the Java world for JSPs. Maybe some of these links will help? http://java.sun.com/products/jaas/ http://java.sun.com/j2se/1.4.1/docs/guide/security /jgss/tutorials/ http://java.sun.com/j2se/1.4.1/docs/guide/security /jaas/tutorials/ http://www.pramati.com/docstore/1270002/index.htm http://www.oreillynet.com/pub/d/861

    1. Re:This seems like something for PAM by TomsFingerKeys · · Score: 3, Informative
      (Reposted to fix formatting)

      This is the kind of thing the PAM (Pluggable Authentication Modules) is meant to solve. I'm not sure how you would tie it in to your system yet, but some of these Java-centric links might help:

      http://java.sun.com/products/jaas/
      http://java.sun.com/j2se/1.4.1/docs/guide/security /jgss/tutorials/
      http://java.sun.com/j2se/1.4.1/docs/guide/security /jaas/tutorials/
      http://www.pramati.com/docstore/1270002/index.htm
      http://www.oreillynet.com/pub/d/861

  9. mod_proxy by gmiller123456 · · Score: 1

    Here's a link to the mod_proxy module the first couple of posts mention, I recommend you use it (it's what I use for the same purpose!):

    http://httpd.apache.org/docs/mod/mod_proxy.html

  10. Here's how: by zsmooth · · Score: 2, Insightful

    ssh -L8888:tivo.ip.address.here:80 username@home.machine.address

    open http://localhost:8888/ in your browser.

    Is this really that difficult?

    1. Re:Here's how: by Anonymous Coward · · Score: 1, Funny

      Its only dufficult if you are a complete MORON.

  11. Stupid question - all over the tivoweb docs by GoRK · · Score: 4, Interesting

    This is covered in insane detail in the tivoweb docs. You have three options:

    Set up apache as a reverse proxy and put some authentication on the proxy machine.

    If that is not acceptible, use ssh port forwarding to get the job done.

    If none of these is acceptible, then use some sort of VPN solution to attach to your home network from outside.

    Be realistic, though, you don't double smartcard voice recognized palm scanned passphrase authentication and uncrackable in a trillion years triple supercrypto to do the equivalent of program your vcr from the office. Reverse proxy and an .htaccess file will do you fine.

    ~GoRK

    1. Re:Stupid question - all over the tivoweb docs by An.+(Coward) · · Score: 1

      Be realistic, though, you don't double smartcard voice recognized palm scanned passphrase authentication and uncrackable in a trillion years triple supercrypto to do the equivalent of program your vcr from the office.
      But I don't want some hacker breaking into it and recording stuff to make TiVo think I'm gay!
    2. Re:Stupid question - all over the tivoweb docs by GoRK · · Score: 1

      Haha; You fool! TiVo already knows you're gay!

  12. If you really must do this consider a one time pad by SouthSideNick · · Score: 1

    I think the apache proxy-ssl-htaccess solution is the best. But if you really want a no cost two-factor system (for curiosity's sake or to prevent us from knowing what pr0n is on your Tivo) consider rolling your own security with a one-time pad. Here is a nice article on the subject at IBM. If you get something like this working, let us know.

  13. Anger problem. by Anonymous Coward · · Score: 0

    MENTAL ILLNESS ALERT. Parent poster has anger problem.

  14. There's nothing on!!! by moehoward · · Score: 1

    What are you going to record? And why would you suddenly have the urge from work.

    Yes, I'm asking the forbidden "why" question. Don't forgive me, just mod me down.

    I keep telling myself I want a TIVO, but then I look at the TV Guide and there is a vast wasteland. Almost vaster in its waste factor than the Internet. And you want to combine the two. Wow. What a waste. Literally.

    Again, there's nothing on. Figure out another way to use technology to make your life more interesting. TIVO is a failure in that regard due to content issues.

    Oh, and if you miss something. Don't worry. 75% of the channels are dedicated to reruns. And the other 25% only show original content 10% of the time. TV itself is becoming the best TIVO out there.

    --
    "If you want to improve, be content to be thought foolish and stupid." - Epictetus
    1. Re:There's nothing on!!! by Cro+Magnon · · Score: 1

      There's plenty on! Yes, 95% of the shows on TV are total crap, but the other 5% is more than enough to fill a 60 hour Tivo.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
  15. Just use certs... by IronDuck · · Score: 0

    You don't need proxies or anything. Everything you want is available in your average web-browser and Apache with mod_ssl. You just need a secure website with authentication and encryption. Only you know the password, only you get in. Since you're the only one using it, just create and sign the cert yourself with OpenSSL, and ignore the warnings about unkown authoritiy, etc. There are howtos all over the web for this. If you want greater security, you can use a client cert that you install on your browser at work...

  16. Alternative to hardware token by soramimicake · · Score: 1

    Not exact two-factor, but how about one time passwords if you are afraid of keyboard sniffers?

  17. Re:SSH + Port forwarding? Not that simple by Paul+Carver · · Score: 1

    Just because you can SSH doesn't necesarily mean the problem is solved. If your firewall at work is restrictive, it may allow port 22 outbound but nothing else. In particular, ports 80 and 443 may be proxied rather than permitted through the firewall.

    If you are on a typical residential ISP you may not have the option of obtaining multiple IP addresses. This means that from work your only IP connectivity to home is a single IP address and a single port.

    If this is the case, you can either forward this port or use it for interactive SSH, but not both.

    All the SSH port forwarding docs I've read assume you can choose an arbitrary unused port for forwarding. That's fine, but when you're behind a firewall you don't control you may not be able to initiate connections to arbitrary ports.

  18. Even that is too much work. by waffle+zero · · Score: 1

    I'd just ssh in and use lynx.

  19. hosts.allow by MiTEG · · Score: 1

    Something like hosts.allow would be the simplest approach if you're on a static IP. Depends on how much you trust your co-workers though.

    --
    The future isn't what it used to be.
  20. use an ssl client certificate by aminorex · · Score: 1

    protect the pages with client certificate authent.,
    and put your client key pair on a USB keychain
    dongle. voila, authenticated access from any
    web browser.

    --
    -I like my women like I like my tea: green-
  21. Why not use a smart card? by Quazimofo · · Score: 1

    Just a thought. If you really need 2-factor authentication, setup the reverse proxy (unless you can get TiVo to require SSL client-side authentication). Pick up a smart card and reader from http://www.cardstore.slb.com/. I recommend the CyberFlex E-gate for this as it will reduce you overall costs and give you MAXIMUM convenience. Once you get this all set up (you may want to visit the M.U.S.C.L.E. site if you're using Linux or Mac OS X or other un*x variants), go to your favorite free-cert provider like Thawte/Verisign. When you generate your keys, be certain to instruct your smart card to do the work. Next, configure your web-server (TiVO or Apache) to require client-side SSL authentication and specifically, your certificate. Viola! Two-factor authentication. In this case, your private key makes your smart card very unique (what you HAVE) and you should set a PIN on your smart card to protect it (what you KNOW). If you're really up for a project, add some biometric (what you ARE) card-authentication for 3-factor authentication.

  22. Re:SSH + Port forwarding? Not that simple by rthille · · Score: 1

    What I do is have my work machine ssh to my home gateway, and my 'local' work machine forwards port 2080 to my 'tivo.thille.org' machine inside my firewall at home. Then on my work machine, the url is something like 127.0.0.1:2080/...

    The only outbound port needed from work is port 22 (for ssh), because all the traffic is carried, encrypted, from my local machine inside the firewall to my home gateway/firewall over ssh. It's only at my home gateway/firewall that it's unencrypted and untunneled and forwarded to port 80 on my tivo.

    --
    Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  23. Re:SSH + Port forwarding? Not that simple by mrpull · · Score: 1

    I beg to differ. Consider this:

    ssh -L8080:address.of.the.tivo:80 username@public.ip.of.home
    then,
    open browser go to http://localhost:8080/

    the -L says forward requests on my machines port 8080 to port 80 on the tivo. It all goes thru the SSH tunnel.

    _IF_ he can SSH to his box on his network at home (assuming the SSH server box can reach his TiVo), firewalls and proxies shouldn't be an issue. Or am I missing something?

    mr.

  24. What I did by Piquan · · Score: 1

    I made my own CA, and made certs that I can put on other computers I used. (The details of this are discussed extensively online; google for something like "howto ca openssl".)

    Then I told Apache to proxy to listen on a separate port (8126), and require a cert signed by my CA. This was forwarded to tivoweb.

    Note that you can't easily use name-based virtual hosts instead of a unique port, since the host being requested isn't available until after SSL negotiation is complete.

    Most of the boilerplate SSL options have been omitted here; copy whatever you feel is relevant from your existing <VirtualHost _default_:443> section. As always, RTFM before proceeding. Most of this is fairly standard client-side apache+mod_ssl authentication stuff.

    <IfDefine SSL>
    Listen 8126
    <VirtualHost *:8126>
    SSLEngine on
    ProxyPass / http://tivo.piquan.org/
    ProxyPassReverse / http://tivo.piquan.org/
    <Location />
    SSLRequireSSL
    SSLVerifyClient require
    SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    and %{SSL_CLIENT_VERIFY} eq "SUCCESS" \
    and %{SSL_CLIENT_S_DN_Email} =~ m/[.@]piquan\.org$/i \
    and %{SSL_CLIENT_I_DN_CN} eq "Piquan's CA" \
    and %{SSL_CLIENT_S_DN_O} eq "Piquan" )
    </Location>
    </VirtualHost>
    </IfDefine& g t;

    And that last line is getting hosed by /.; it's supposed to be </IfDefine>

  25. Squid by Baloo+Ursidae · · Score: 1

    Why not just download and install Squid and enable authentication? Then just put that sucker out on your DMZ and you have authenticated web browsing to your local network.

    --
    Help us build a better map!