From owner-freebsd-questions@FreeBSD.ORG Sun Mar 24 04:51:54 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 5BD518EE for ; Sun, 24 Mar 2013 04:51:54 +0000 (UTC) (envelope-from m.e.sanliturk@gmail.com) Received: from mail-vb0-x232.google.com (mail-vb0-x232.google.com [IPv6:2607:f8b0:400c:c02::232]) by mx1.freebsd.org (Postfix) with ESMTP id 1FFE3CFB for ; Sun, 24 Mar 2013 04:51:54 +0000 (UTC) Received: by mail-vb0-f50.google.com with SMTP id ft2so3374242vbb.9 for ; Sat, 23 Mar 2013 21:51:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=gprDqx6KQoKPfxBH6C8s3+Hbj6pFwrNpPZclYanLTMo=; b=jpdTEG3lfEcxXMfxpZYswylljig0DMxdVUQKyPtLaqdcEqdTNO6BWkhT+dIAiOVWk3 JG+c06S48LkFDKFf3LUji7UxzbcMfRvTsWaR4MxNtJjoA/P57hE3eBQZQvyGrdqSSEJD 8ppdf0Uycoa5Xz3HZH1rz89YQlCOu9k40jpBVLR6veKNdj3KI+WSGdjCvlV8wAOYTq1z jtGwyUS9T8m0l/5TXagb13dSYzIUrFje0VpmOi0LJwa9L1cPV0iALv1+LdYKH2Y7t7Cb 9xhTAlsIEpg2gnLizcO5PgcPNqBqi+8hFh0grHfzSI+OB8RO1LoUBLzzPp5k9mue/44B ZS3Q== MIME-Version: 1.0 X-Received: by 10.220.140.18 with SMTP id g18mr9709127vcu.54.1364100713392; Sat, 23 Mar 2013 21:51:53 -0700 (PDT) Received: by 10.58.132.203 with HTTP; Sat, 23 Mar 2013 21:51:53 -0700 (PDT) In-Reply-To: References: Date: Sat, 23 Mar 2013 21:51:53 -0700 Message-ID: Subject: Re: Client Authentication From: Mehmet Erol Sanliturk To: Doug Hardie Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-questions@freebsd.org List" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2013 04:51:54 -0000 On Sat, Mar 23, 2013 at 9:22 PM, Doug Hardie wrote: > I am not sure this is the best place to ask this, but I didn't see any > other maillists that seemed more appropriate. > > Basically, my outgoing mail server is being systematically attacked to try > passwords looking for one that works. When they do find one, we get > inundated by spam sent through that account throughout the world. The > situation is such that most of our users are older and their computer is a > hand-me-down so they can talk to their grandchildren. Passwords are a > great inconvenience for them and create numerous problems with remembering > them even when they are simple. Unfortunately, most of them are quite easy > to guess. > > Telling users to use more appropriate passwords is a complete waste of my > time. Its never going to make any changes as they probably would not > remember any other password (or where they wrote down the password). This > situation requires a technical solution. > > I have been investigating the use of client authentication through SSL. > DoD uses this approach by having the certificates on an ID card and a card > reader on each computer. We don't have the money to use that approach no > could we every get our users to spring for that. I was hoping to figure > out a way to put the certificate on a flash drive or CD that the user would > carry. The approach we use has to also work for iPads, smart phones etc > that do not have an interface for a card reader. > > At this time, I have successfully configured a test for openssl client > authentication using a client certificate. There are a few issues > remaining. DoD uses a p12 format for their certificates. Many browsers > support that format. It encrypts the certificate and private key so they > are not easily obtained from the smart card. Openssl's s_client uses pem > certificates and the key has to be included in the certificate file. While > that is easily transported on CD or flash drive, the private key is in the > clear on the device. Thats not really viable. > > S_client works properly without a certificate when the certificate check > in the server is set to not fail if a certificate is not provided. This is > needed because we will never get all our users to use this approach at > home. They will still want to use passwords. Since the certificate > request is made before the connection information is available, there is no > easy way to request it only when needed. I have only been able to test > with the Safari browser and it does not handle the no certificate case > properly. I believe it is dropping the connection when the user does not > select a certificate. I still have to test the other browsers. > > There is an interesting aspect of openssl that the certificate it uses for > normal SSL authentication is not used for client authentication. There are > another completely different set of calls that have to be made to set the > certificate/key for use in validating the client certificates. Much of > this is only documented in existing code. > > With Safari you have to import the client's certificate into the keychain. > Then it works fine. Unfortunately, it doesn't go away when you are done > with it. Unlike the smart card which, when removed, removes the > certificate, the Safari certificate can continue to be used by anyone > afterwards. Hence, its not all that useful for authentication. One > approach I have heard about, but not investigated yet is to place the > keychain on the removable device. That would make it go away. However, > that approach would not work with any other browser or mail program. > > Any ideas/suggestions on this will be appreciated. Thanks, > > -- Doug > Using Static IP in the client side , and checking Static IP of the user may be a possibility : In that way , any message from another IP will not be accepted . If this is possible for your systems , it may be checked for usability . One difficulty is that each user should obtain a Static IP and can not connect to his/her ISP from another IP . Good side is that nobody can connect to ISP of the user from another IP : It supplies hardware security ( we are assuming that the user computer is not captured ) .. Thank you very much . Mehmet Erol Sanliturk