From owner-freebsd-hackers@FreeBSD.ORG Tue Dec 19 15:57:11 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B058516A494 for ; Tue, 19 Dec 2006 15:57:11 +0000 (UTC) (envelope-from mwm-keyword-freebsdhackers2.e313df@mired.org) Received: from mired.org (vpn.mired.org [66.92.153.74]) by mx1.FreeBSD.org (Postfix) with SMTP id F3A1043C9F for ; Tue, 19 Dec 2006 15:57:10 +0000 (GMT) (envelope-from mwm-keyword-freebsdhackers2.e313df@mired.org) Received: (qmail 12824 invoked by uid 1001); 19 Dec 2006 15:30:42 -0000 Received: by bhuda.mired.org (tmda-sendmail, from uid 1001); Tue, 19 Dec 2006 10:30:41 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17800.1441.406848.339959@bhuda.mired.org> Date: Tue, 19 Dec 2006 10:30:41 -0500 To: Koen Martens In-Reply-To: <4587F6F1.1050000@metro.cx> References: <4587F6F1.1050000@metro.cx> X-Mailer: VM 7.17 under 21.4 (patch 19) "Constant Variable" XEmacs Lucid X-Primary-Address: mwm@mired.org X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`; h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ X-Delivery-Agent: TMDA/1.1.5 (Fettercairn) From: Mike Meyer Cc: freebsd-hackers@freebsd.org Subject: Re: unique hardware identification X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2006 15:57:11 -0000 In <4587F6F1.1050000@metro.cx>, Koen Martens typed: > Hi All, > > I was wondering, if something like a unique hardware identification > would be possible on FreeBSD. > > I'd like a machine to authenticate to a server, for which it will > need a unique identification. Problem is, it should be generated > automatically and not easy to fake / detect without already having > root access to the box. At this point, you've actually described two different things: "identifying the hardware" and "identifying to the server". The latter just takes a string of bits that only exist in the client, like ssh keys. Looking into something like OpenVPN's various authentication mechanisms should give you ideas on various ways to do this. Identifying the hardware is a bit trickier, because you have to have a policy about what to do in the face of hardware changes, which will influence what goes into your signature. You suggested disk serial numbers. Does adding a disk invalidate the hardware id? Does it matter which disk you booted from if you've got two disks in the id? Etc. At the exterme low end, you can use an ID from something that's trivially replacable, like an ethernet MAC. In the middle, you mix in an id from every bit of kit that you don't want the user to be able to change. At the extreme high end, you want to look into "Trusted Computing", which is a technology designed to create a computer that the content vendors will trust enough to put content on. http://www.mired.org/consulting.html Independent Network/Unix/Perforce consultant, email for more information.