Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Mar 2013 01:21:12 -0700
From:      Doug Hardie <bc979@lafn.org>
To:        Mehmet Erol Sanliturk <m.e.sanliturk@gmail.com>
Cc:        "freebsd-questions@freebsd.org List" <freebsd-questions@freebsd.org>
Subject:   Re: Client Authentication
Message-ID:  <15F2FFE1-C05D-4663-BCD6-58A893CA1C24@lafn.org>
In-Reply-To: <CAOgwaMveiex1x6DGoufcJQKwv8EvcSv2wnu_UyqAK9rgXt7BVw@mail.gmail.com>
References:  <B2DC7342-9F1A-489A-94F0-49802B1E5DF6@lafn.org> <CAOgwaMvu+OC4PiPfNNwoj7aB+631Nt_=SwjFG9y89+avB6Mp9Q@mail.gmail.com> <8680FAB3-4943-4F91-935B-E11511C3FD4E@lafn.org> <CAOgwaMveiex1x6DGoufcJQKwv8EvcSv2wnu_UyqAK9rgXt7BVw@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On 23 March 2013, at 22:59, Mehmet Erol Sanliturk =
<m.e.sanliturk@gmail.com> wrote:

> The following steps may be another idea :
>=20
> Assume that you supply to your users a small login program prepared =
for them specifically ( since you are using SSH )  :
>=20
> Compile that program for each user with a special identifier for =
him/her  and ship this program to your user and require that the login =
will be performed by this program  . This program will send a very long =
code to your system with user password which is only known to you and to =
your user .  Since external users will not know this code , they will =
not be able to login into their accounts by using only password .
>=20
> This will also easily identify fake login trials : It is very obvious =
that to estimate a very long code will require a large number of tries : =
If code fails , it means that login trial is from a fake user .
> If password fails , it may be allowed a fixed number of trials ( The =
banks are allowing only TWO failed passwords , on third , a new attempt =
can be made after 24 hours , in Turkey ) .
>=20
> This program may also additionally send computer signature to your =
system which is previously send to you on subscription computed by a =
program prepared by you .
>=20
> If the user changes  / or uses a different computer , he/she should =
supply a signature of the computer . =20
>=20
> Here , important point is that , always you should verify that you are =
communicating the real user , not a faked user in behalf of the real =
user .
>=20
> For the stolen program/codes , prepare a new program and ship to the =
user .

Thats an interesting approach but becomes difficult to use when =
traveling as you have no idea what computer you will be able to use =
today until you get to it.  Then you might have only a few minutes =
access to it before moving on.

>=20
> Another idea may be the following :
>=20
> Assume the user computer is NOT captured by a criminal bandit .
>=20
> On subscription , send to the user a square bar code printed on a card =
like credit card having a very long code specifically prepared for the =
user .
> On login , the user will show this card to the camera of the computer =
and will be transmitted to your system . In your system , it will be =
decoded , and it will be used to identify the user with his/her password =
.
>=20
> If this application is used , it may not be necessary to send the =
users a special login program prepared for each of them .
>=20

This idea shows a lot of promise.  I have to figure out how to tie it =
into mail, web etc.  There is libqrencode for creating the QR images.  I =
am downloading it now. =20

-- Doug




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?15F2FFE1-C05D-4663-BCD6-58A893CA1C24>