From owner-freebsd-questions@FreeBSD.ORG Tue Mar 26 17:23:47 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B7121844 for ; Tue, 26 Mar 2013 17:23:47 +0000 (UTC) (envelope-from joji@eskimo.com) Received: from ultra7.eskimo.com (ultra7.eskimo.com [204.122.16.70]) by mx1.freebsd.org (Postfix) with ESMTP id 8FC1CCCD for ; Tue, 26 Mar 2013 17:23:47 +0000 (UTC) Received: from shellx.eskimo.com (root@shellx.eskimo.com [204.122.16.5]) by ultra7.eskimo.com (8.14.0/8.14.3) with ESMTP id r2QHIAE8009811; Tue, 26 Mar 2013 10:18:10 -0700 Received: from shellx.eskimo.com (localhost [127.0.0.1]) by shellx.eskimo.com (8.14.4/8.14.4) with ESMTP id r2QHIDZH020896; Tue, 26 Mar 2013 10:18:13 -0700 Received: (from joji@localhost) by shellx.eskimo.com (8.14.4/8.14.4/Submit) id r2QHICCc020895; Tue, 26 Mar 2013 10:18:12 -0700 Date: Tue, 26 Mar 2013 10:18:12 -0700 From: Joseph Olatt To: Doug Hardie Subject: Re: Client Authentication Message-ID: <20130326171812.GA20118@shellx.eskimo.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-12-10) Cc: "freebsd-questions@freebsd.org List" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 17:23:47 -0000 On Sat, Mar 23, 2013 at 09:22:07PM -0700, Doug Hardie wrote: > I am not sure this is the best place to ask this, but I didn't see any other maillists that seemed more appropriate. > > Basically, my outgoing mail server is being systematically attacked to try passwords looking for one that works. When they do find one, we get inundated by spam sent through that account throughout the world. The situation is such that most of our users are older and their computer is a hand-me-down so they can talk to their grandchildren. Passwords are a great inconvenience for them and create numerous problems with remembering them even when they are simple. Unfortunately, most of them are quite easy to guess. > > Telling users to use more appropriate passwords is a complete waste of my time. Its never going to make any changes as they probably would not remember any other password (or where they wrote down the password). This situation requires a technical solution. > > I have been investigating the use of client authentication through SSL. DoD uses this approach by having the certificates on an ID card and a card reader on each computer. We don't have the money to use that approach no could we every get our users to spring for that. I was hoping to figure out a way to put the certificate on a flash drive or CD that the user would carry. The approach we use has to also work for iPads, smart phones etc that do not have an interface for a card reader. > > At this time, I have successfully configured a test for openssl client authentication using a client certificate. There are a few issues remaining. DoD uses a p12 format for their certificates. Many browsers support that format. It encrypts the certificate and private key so they are not easily obtained from the smart card. Openssl's s_client uses pem certificates and the key has to be included in the certificate file. While that is easily transported on CD or flash drive, the private key is in the clear on the device. Thats not really viable. > > S_client works properly without a certificate when the certificate check in the server is set to not fail if a certificate is not provided. This is needed because we will never get all our users to use this approach at home. They will still want to use passwords. Since the certificate request is made before the connection information is available, there is no easy way to request it only when needed. I have only been able to test with the Safari browser and it does not handle the no certificate case properly. I believe it is dropping the connection when the user does not select a certificate. I still have to test the other browsers. > > There is an interesting aspect of openssl that the certificate it uses for normal SSL authentication is not used for client authentication. There are another completely different set of calls that have to be made to set the certificate/key for use in validating the client certificates. Much of this is only documented in existing code. > > With Safari you have to import the client's certificate into the keychain. Then it works fine. Unfortunately, it doesn't go away when you are done with it. Unlike the smart card which, when removed, removes the certificate, the Safari certificate can continue to be used by anyone afterwards. Hence, its not all that useful for authentication. One approach I have heard about, but not investigated yet is to place the keychain on the removable device. That would make it go away. However, that approach would not work with any other browser or mail program. > > Any ideas/suggestions on this will be appreciated. Thanks, > > -- Doug A little while back I wrote a system to do a simple Two Factor Authentication and dynamic manipulation of PF (Packet Filter) Tables. I created it to prevent brute-force attacks on the servers that I have exposed on the Internet. Users would carry around a flash drive that has an HTML file containing a "message" that is signed by your server (Alternatively, the HTML file can be saved/placed of frequently used devices). When users double-click that file, that message is verfified and the user is then prompted for his/her password. If the password is correct, then access from the user's IP is allowed to your server. The system is released as FOSS and is available at: http://taferno.sourceforge.net More info may be found at: http://taferno.com I don't know if it will work for you. But, you can try if you'd like. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"