From owner-freebsd-security Wed Jun 19 8:43:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id 9DB4637B40E for ; Wed, 19 Jun 2002 08:43:06 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5JFcQ9g045669; Wed, 19 Jun 2002 11:38:27 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Ryan Thompson'" Cc: Subject: RE: Password security Date: Wed, 19 Jun 2002 10:42:15 -0500 Message-ID: <002101c217a7$e3c28ab0$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20020618225214.L74293-100000@ren.sasknow.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey Ryan, The only other thing I could suggest is a dial-up callback system. Windows NT 4.0 and above fully support this in their base installs, and I'm sure it wouldn't be hard to setup on a FreeBSD network to do something similar. The way it works is this: User requests login authority from their remote system. He/she does so with a username/password combination. Remote network sees request, looks information up in a database and either calls back via a dial-up connection, or replies only on an IP address registered with the system. This way, it is your network that is bringing the connection up. It also restricts where users can log in from. (i.e. areas you, as network admin, deem secure). HTH Just curious, what kinds of things are you trying to secure that the basic password system hasn't worked for you? Most users are too ignorant (not their fault) to know how to do anything with their logins to hurt anything, as if your system *is* secure enough, biometrics or SecurID is a viable alternative. I personally have done work for people like the Minnesota Dept of Agriculture in this area for building and network security, and it has worked wonderfully for the last 4 years. Just curiousity on my part. ;) Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Ryan Thompson Sent: Wednesday, June 19, 2002 12:05 AM To: Eric F Crist Cc: freebsd-security@FreeBSD.ORG Subject: RE: Password security Hi Eric, Eric F Crist wrote to 'Ryan Thompson' and freebsd-security@FreeBSD.ORG: > Have you explored the idea of biometrics? Yes. Bad idea. I knew someone would suggest that. My original post was too long already to include biometrics, so, since you asked, here it is. :-) > It requires a piece of hardware on each computer that is going to > access the network, but the way you're making your security > requirements sound, the security benefit is worth the cost. Depending on the metric somewhat, collecting biometrics on insecure systems is a serious security risk. Hardware costs aside (about 20 terminals, a few of which are home systems not even owned by the company), it's far too easy to replay biometrics if the end system isn't secure... and, last time I checked, most of my employees had only 10 fingers each. Once those are gone, what then? Eyeballs? :-) So, on a lot of levels, biometrics are not an option. So, let's stick with password security for now. :-) > Eric F Crist > President/Sys Admin > AdTech Integrated Systems, Inc > http://www.adtechintegrated.com -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message