Slashdot Mirror

← Back to Stories (view on slashdot.org)

TiVo Web Security and Two-Factor Authentication?

Posted by Cliff on from the hardening-your-PVR dept.

mr. mulder asks: "I just attached my TiVo to my home network, giving me the ability to change my recording settings from any browser on my internal network. I would like to take this a step further and enable TiVo config changes from work, but I'm worried about security. SSL would encrypt my traffic, but wouldn't prohibit access. Ideally, I would like an easy, client-less, two-factor authentication solution. Has anyone tried this? Moreover, are there any inexpensive, secure or two-factor authentication products to protect personal/home web URLs? I've considered publishing the page on the web without security, but that leaves me wide-open. I've also considered a VPN solution with my LinkSys Firewall/Router, but it involves a client installation. As an alternative, I've turned to two-factor authentication schemes, including products such as Rainbow's iKey, Authenex's A-Key and RSA's SecureID, but they are too expensive."

9 of 36 comments (clear)

  1. Use the recommened solution by TwoStep · · Score: 2, Informative

    Try using reverse proxying through apache. I am unsure where the docs were on how to set it up, but it was pretty easy.

    Twostep

    --
    There are 10 different types of people in this world... those who understand binary, and those who don't.
  2. Erm by Anonymous Coward · · Score: 2, Interesting

    Can you VPN/SSH/Whatever to another machine on the network and go from there?
    Or am I missing something?

  3. Reverse Proxy by Samus · · Score: 4, Informative

    I may be wrong on this but couldn't you place Apache in front of the tivo with a proxy pass directive. I would think that you could even have it do basic authentication on that directory. Couple that with ssl and you should have a pretty decent secure system. The only problem that you might run into is if the Tivo pages generate absolute URLs with the server name in them. Worse case scenario is you write a php, perl or jsp front end that makes calls back to the Tivo web server.

    --
    In Republican America phones tap you.
  4. Basic security by hafree · · Score: 2, Interesting

    Why not just use htaccess to password-protect the page. If that's not an option, keep that URL internal and setup a proxy to it using squid or something similar. This is your digital VCR, not corporate espionage prevention; SecureID and other similar options are a bit absurd to even consider for such an application when a simple password will suffice.

  5. Use a reverse proxy & PAM by Hanashi · · Score: 3, Interesting

    Just an idea... Put a reverse proxy in front of the Tivo. Don't let the Tivo talk to machines outside your local network, just internal machines (including the proxy). Use SKey on the proxy for free easy 2 factor authentication. If you use apache, you can set it up to use PAM (pluggable authentication modules), and get an SKey PAM module for it. I know that all these pieces exist, but I've never used Apache w/PAM, nor have I used the SKey PAM module. Should be a good starting point, though.

    --
    Check out my eclectic infosec blog at InfoSecPotpou
  6. SSH + Port forwarding? by mrpull · · Score: 2, Interesting

    Can you SSH from work to any host on your home network? In that case, check out the man pages for the syntax for port forwarding and your problem is solved.

    mr.

  7. Re:This seems like something for PAM by TomsFingerKeys · · Score: 3, Informative
    (Reposted to fix formatting)

    This is the kind of thing the PAM (Pluggable Authentication Modules) is meant to solve. I'm not sure how you would tie it in to your system yet, but some of these Java-centric links might help:

    http://java.sun.com/products/jaas/
    http://java.sun.com/j2se/1.4.1/docs/guide/security /jgss/tutorials/
    http://java.sun.com/j2se/1.4.1/docs/guide/security /jaas/tutorials/
    http://www.pramati.com/docstore/1270002/index.htm
    http://www.oreillynet.com/pub/d/861

  8. Here's how: by zsmooth · · Score: 2, Insightful

    ssh -L8888:tivo.ip.address.here:80 username@home.machine.address

    open http://localhost:8888/ in your browser.

    Is this really that difficult?

  9. Stupid question - all over the tivoweb docs by GoRK · · Score: 4, Interesting

    This is covered in insane detail in the tivoweb docs. You have three options:

    Set up apache as a reverse proxy and put some authentication on the proxy machine.

    If that is not acceptible, use ssh port forwarding to get the job done.

    If none of these is acceptible, then use some sort of VPN solution to attach to your home network from outside.

    Be realistic, though, you don't double smartcard voice recognized palm scanned passphrase authentication and uncrackable in a trillion years triple supercrypto to do the equivalent of program your vcr from the office. Reverse proxy and an .htaccess file will do you fine.

    ~GoRK