Date: Sat, 23 Mar 2013 22:59:14 -0700 From: Mehmet Erol Sanliturk <m.e.sanliturk@gmail.com> To: Doug Hardie <bc979@lafn.org> Cc: "freebsd-questions@freebsd.org List" <freebsd-questions@freebsd.org> Subject: Re: Client Authentication Message-ID: <CAOgwaMveiex1x6DGoufcJQKwv8EvcSv2wnu_UyqAK9rgXt7BVw@mail.gmail.com> In-Reply-To: <8680FAB3-4943-4F91-935B-E11511C3FD4E@lafn.org> References: <B2DC7342-9F1A-489A-94F0-49802B1E5DF6@lafn.org> <CAOgwaMvu%2BOC4PiPfNNwoj7aB%2B631Nt_=SwjFG9y89%2BavB6Mp9Q@mail.gmail.com> <8680FAB3-4943-4F91-935B-E11511C3FD4E@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 23, 2013 at 10:16 PM, Doug Hardie <bc979@lafn.org> wrote: > > On 23 March 2013, at 21:51, Mehmet Erol Sanliturk <m.e.sanliturk@gmail.com> > wrote: > > > > > Using Static IP in the client side , and checking Static IP of the user > may be a possibility : > > In that way , any message from another IP will not be accepted . > > > > If this is possible for your systems , it may be checked for usability . > > > > One difficulty is that each user should obtain a Static IP and can not > connect to his/her ISP from another IP . > > > > Good side is that nobody can connect to ISP of the user from another IP > : It supplies hardware security ( we are assuming that the user computer is > not captured ) .. > > That is an interesting idea, but unfortunately our users tend to travel a > lot and need to be able to access mail from anywhere. Also, static IPs can > get quite expensive from some ISPs. Our users are pretty much on fixed > incomes and any expense is a hardship for them. > > -- Doug > > The following steps may be another idea : Assume that you supply to your users a small login program prepared for them specifically ( since you are using SSH ) : Compile that program for each user with a special identifier for him/her and ship this program to your user and require that the login will be performed by this program . This program will send a very long code to your system with user password which is only known to you and to your user . Since external users will not know this code , they will not be able to login into their accounts by using only password . This will also easily identify fake login trials : It is very obvious that to estimate a very long code will require a large number of tries : If code fails , it means that login trial is from a fake user . If password fails , it may be allowed a fixed number of trials ( The banks are allowing only TWO failed passwords , on third , a new attempt can be made after 24 hours , in Turkey ) . This program may also additionally send computer signature to your system which is previously send to you on subscription computed by a program prepared by you . If the user changes / or uses a different computer , he/she should supply a signature of the computer . Here , important point is that , always you should verify that you are communicating the real user , not a faked user in behalf of the real user . For the stolen program/codes , prepare a new program and ship to the user . Another idea may be the following : Assume the user computer is NOT captured by a criminal bandit . On subscription , send to the user a square bar code printed on a card like credit card having a very long code specifically prepared for the user . On login , the user will show this card to the camera of the computer and will be transmitted to your system . In your system , it will be decoded , and it will be used to identify the user with his/her password . If this application is used , it may not be necessary to send the users a special login program prepared for each of them . Thank you very much . Mehmet ERol Sanliturk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOgwaMveiex1x6DGoufcJQKwv8EvcSv2wnu_UyqAK9rgXt7BVw>