TiVo Web Security and Two-Factor Authentication?

mr. mulder asks: "I just attached my TiVo to my home network, giving me the ability to change my recording settings from any browser on my internal network. I would like to take this a step further and enable TiVo config changes from work, but I'm worried about security. SSL would encrypt my traffic, but wouldn't prohibit access. Ideally, I would like an easy, client-less, two-factor authentication solution. Has anyone tried this? Moreover, are there any inexpensive, secure or two-factor authentication products to protect personal/home web URLs? I've considered publishing the page on the web without security, but that leaves me wide-open. I've also considered a VPN solution with my LinkSys Firewall/Router, but it involves a client installation. As an alternative, I've turned to two-factor authentication schemes, including products such as Rainbow's iKey, Authenex's A-Key and RSA's SecureID, but they are too expensive."

Reverse Proxy

[Samus]

I may be wrong on this but couldn't you place Apache in front of the tivo with a proxy pass directive. I would think that you could even have it do basic authentication on that directory. Couple that with ssl and you should have a pretty decent secure system. The only problem that you might run into is if the Tivo pages generate absolute URLs with the server name in them. Worse case scenario is you write a php, perl or jsp front end that makes calls back to the Tivo web server.

Use a reverse proxy & PAM

[Hanashi]

Just an idea... Put a reverse proxy in front of the Tivo. Don't let the Tivo talk to machines outside your local network, just internal machines (including the proxy). Use SKey on the proxy for free easy 2 factor authentication. If you use apache, you can set it up to use PAM (pluggable authentication modules), and get an SKey PAM module for it. I know that all these pieces exist, but I've never used Apache w/PAM, nor have I used the SKey PAM module. Should be a good starting point, though.

Re:This seems like something for PAM

[TomsFingerKeys]

(Reposted to fix formatting)

This is the kind of thing the PAM (Pluggable Authentication Modules) is meant to solve. I'm not sure how you would tie it in to your system yet, but some of these Java-centric links might help:

http://java.sun.com/products/jaas/
http://java.sun.com/j2se/1.4.1/docs/guide/security /jgss/tutorials/
http://java.sun.com/j2se/1.4.1/docs/guide/security /jaas/tutorials/
http://www.pramati.com/docstore/1270002/index.htm
http://www.oreillynet.com/pub/d/861

Stupid question - all over the tivoweb docs

[GoRK]

This is covered in insane detail in the tivoweb docs. You have three options:

Set up apache as a reverse proxy and put some authentication on the proxy machine.

If that is not acceptible, use ssh port forwarding to get the job done.

If none of these is acceptible, then use some sort of VPN solution to attach to your home network from outside.

Be realistic, though, you don't double smartcard voice recognized palm scanned passphrase authentication and uncrackable in a trillion years triple supercrypto to do the equivalent of program your vcr from the office. Reverse proxy and an .htaccess file will do you fine.

~GoRK