From owner-freebsd-questions@FreeBSD.ORG Sun Mar 24 06:06:45 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 331EDF8B for ; Sun, 24 Mar 2013 06:06:45 +0000 (UTC) (envelope-from m.e.sanliturk@gmail.com) Received: from mail-vc0-f169.google.com (mail-vc0-f169.google.com [209.85.220.169]) by mx1.freebsd.org (Postfix) with ESMTP id EC0A329C for ; Sun, 24 Mar 2013 06:06:44 +0000 (UTC) Received: by mail-vc0-f169.google.com with SMTP id kw10so4149518vcb.28 for ; Sat, 23 Mar 2013 23:06:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=DXzqSpCebdHo9X1iZ/unP13/NBo5VqbltQgAZuc7RMM=; b=NmbfnH7I/fRgnSpQxwzhWKl0lV399fXYy/DuwVUdysrDPxJa//P4UctwIHgnGC2XaM GKn0EzGqvzCFeXXAvvrF9CIzYr+trd3iAtBNHoEzy0qx+EAqh6douaiaDKmw2gOs+lyt QLJBju/o8WcDCoGJOTfDUe+/Xbb6Y48N63fm6uKNIftHsPU/cQhzJWp41rVBbBlMPk3L HVW+bnrli/5IVYm1ARgc1BslEGLJmaFHFsNGOmAr4BJhz8lvNVB/bmB+/8kDTuttOscA dpIy/3j74jUP75pnl81whKJL6sbU0uF5d/VphBNfs6riMqA+83LS6PiyqotEJmQ3x2uj TEzg== MIME-Version: 1.0 X-Received: by 10.52.249.105 with SMTP id yt9mr5205256vdc.86.1364104754346; Sat, 23 Mar 2013 22:59:14 -0700 (PDT) Received: by 10.58.132.203 with HTTP; Sat, 23 Mar 2013 22:59:14 -0700 (PDT) In-Reply-To: <8680FAB3-4943-4F91-935B-E11511C3FD4E@lafn.org> References: <8680FAB3-4943-4F91-935B-E11511C3FD4E@lafn.org> Date: Sat, 23 Mar 2013 22:59:14 -0700 Message-ID: Subject: Re: Client Authentication From: Mehmet Erol Sanliturk To: Doug Hardie Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-questions@freebsd.org List" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2013 06:06:45 -0000 On Sat, Mar 23, 2013 at 10:16 PM, Doug Hardie wrote: > > On 23 March 2013, at 21:51, Mehmet Erol Sanliturk > wrote: > > > > > Using Static IP in the client side , and checking Static IP of the user > may be a possibility : > > In that way , any message from another IP will not be accepted . > > > > If this is possible for your systems , it may be checked for usability . > > > > One difficulty is that each user should obtain a Static IP and can not > connect to his/her ISP from another IP . > > > > Good side is that nobody can connect to ISP of the user from another IP > : It supplies hardware security ( we are assuming that the user computer is > not captured ) .. > > That is an interesting idea, but unfortunately our users tend to travel a > lot and need to be able to access mail from anywhere. Also, static IPs can > get quite expensive from some ISPs. Our users are pretty much on fixed > incomes and any expense is a hardship for them. > > -- Doug > > The following steps may be another idea : Assume that you supply to your users a small login program prepared for them specifically ( since you are using SSH ) : Compile that program for each user with a special identifier for him/her and ship this program to your user and require that the login will be performed by this program . This program will send a very long code to your system with user password which is only known to you and to your user . Since external users will not know this code , they will not be able to login into their accounts by using only password . This will also easily identify fake login trials : It is very obvious that to estimate a very long code will require a large number of tries : If code fails , it means that login trial is from a fake user . If password fails , it may be allowed a fixed number of trials ( The banks are allowing only TWO failed passwords , on third , a new attempt can be made after 24 hours , in Turkey ) . This program may also additionally send computer signature to your system which is previously send to you on subscription computed by a program prepared by you . If the user changes / or uses a different computer , he/she should supply a signature of the computer . Here , important point is that , always you should verify that you are communicating the real user , not a faked user in behalf of the real user . For the stolen program/codes , prepare a new program and ship to the user . Another idea may be the following : Assume the user computer is NOT captured by a criminal bandit . On subscription , send to the user a square bar code printed on a card like credit card having a very long code specifically prepared for the user . On login , the user will show this card to the camera of the computer and will be transmitted to your system . In your system , it will be decoded , and it will be used to identify the user with his/her password . If this application is used , it may not be necessary to send the users a special login program prepared for each of them . Thank you very much . Mehmet ERol Sanliturk