Date: Thu, 11 Dec 2003 18:33:37 +1100 From: Andrew Kenneth Milton <akm@theinternet.com.au> To: Brett Glass <brett@lariat.org> Cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? Message-ID: <20031211073336.GO57995@zeus.theinternet.com.au> In-Reply-To: <6.0.0.22.2.20031210193940.04f82c20@localhost> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> <3FD7C240.4030005@tenebras.com> <6.0.0.22.2.20031210193940.04f82c20@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
+-------[ Brett Glass ]---------------------- | An excellent reason to use SSL together with S/key. I'm not sure about the physical setup you have, but, here goes. Why don't you issue certificates to each user, that have a fixed life span, say a week (or day or a few hours), and avoid the password thing altogether? If you can generate pieces of paper to hand out, you can generate a certificate per user that get assigned / refreshed before they leave. You could even just revoke the certificate if/when lost, if the assignment of a new certificate is overly burdensome. Once the certificate is revoked even having physical possession of the palm pilot won't give you access. There's no passwords to write down, and there's no user interactions to sniff/log. You should be able to use a certificate at a cafe via floppy/cd/USB key (I guess, I've never been to one), if this is the normal usage pattern, I'd be making the lifespan of the certs very small. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | M:+61 416 022 411 | ACN: 082 081 472 ABN: 83 082 081 472 |akm@theinternet.com.au| Carpe Daemon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031211073336.GO57995>