From owner-freebsd-ports@FreeBSD.ORG  Fri Jan 15 14:36:04 2010
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4F5221065672
	for <freebsd-ports@freebsd.org>; Fri, 15 Jan 2010 14:36:04 +0000 (UTC)
	(envelope-from david@vizion2000.net)
Received: from dns1.vizion2000.net (dns1.vizion2000.net [62.49.197.50])
	by mx1.freebsd.org (Postfix) with ESMTP id 00EF88FC08
	for <freebsd-ports@freebsd.org>; Fri, 15 Jan 2010 14:36:03 +0000 (UTC)
Received: by dns1.vizion2000.net (Postfix, from userid 1001)
	id 025F034D46C; Fri, 15 Jan 2010 14:35:56 +0000 (GMT)
From: David Southwell <david@vizion2000.net>
Organization: Voice & Vision
To: freebsd-ports@freebsd.org
Date: Fri, 15 Jan 2010 14:35:55 +0000
User-Agent: KMail/1.12.4 (FreeBSD/7.2-RELEASE-p3; KDE/4.3.4; amd64; ; )
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <201001151435.55904.david@vizion2000.net>
Subject: authentication with hardware device identification??
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2010 14:36:04 -0000

Hi

I want to be able to permit ssh access to servers over the internet in a way 
that limits that access to specific hardware (i.e. laptops with known hardware 
configurations and devices). So I am looking for some additional layer of 
security on top of the normal private key & certificate system in a way that 
would enable me to configure a pf rule that would, as an addition to other 
rules, only pass external connections  to ssh port from external systems 
having the correct hardware/device specifications. 

One way of doing this might be to filter looking for a packet containing the 
required information in encrypted form. If the data is valid then the 
originating IP address might (for example) be added for a limited time to a 
pass  rule which would then enable the system to connect to the ssh port to 
login.

Is this achievable?

David