From owner-freebsd-questions@FreeBSD.ORG Sun Mar 24 08:21:14 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E3B001183 for ; Sun, 24 Mar 2013 08:21:14 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id B2FDF36A for ; Sun, 24 Mar 2013 08:21:14 +0000 (UTC) Received: from [10.0.1.2] (static-71-177-216-148.lsanca.fios.verizon.net [71.177.216.148]) (authenticated bits=0) by zoom.lafn.org (8.14.3/8.14.2) with ESMTP id r2O8LDOd066567 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 24 Mar 2013 01:21:13 -0700 (PDT) (envelope-from bc979@lafn.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) Subject: Re: Client Authentication From: Doug Hardie In-Reply-To: Date: Sun, 24 Mar 2013 01:21:12 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <15F2FFE1-C05D-4663-BCD6-58A893CA1C24@lafn.org> References: <8680FAB3-4943-4F91-935B-E11511C3FD4E@lafn.org> To: Mehmet Erol Sanliturk X-Mailer: Apple Mail (2.1503) X-Virus-Scanned: clamav-milter 0.97 at zoom.lafn.org X-Virus-Status: Clean Cc: "freebsd-questions@freebsd.org List" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2013 08:21:14 -0000 On 23 March 2013, at 22:59, Mehmet Erol Sanliturk = wrote: > The following steps may be another idea : >=20 > Assume that you supply to your users a small login program prepared = for them specifically ( since you are using SSH ) : >=20 > Compile that program for each user with a special identifier for = him/her and ship this program to your user and require that the login = will be performed by this program . This program will send a very long = code to your system with user password which is only known to you and to = your user . Since external users will not know this code , they will = not be able to login into their accounts by using only password . >=20 > This will also easily identify fake login trials : It is very obvious = that to estimate a very long code will require a large number of tries : = If code fails , it means that login trial is from a fake user . > If password fails , it may be allowed a fixed number of trials ( The = banks are allowing only TWO failed passwords , on third , a new attempt = can be made after 24 hours , in Turkey ) . >=20 > This program may also additionally send computer signature to your = system which is previously send to you on subscription computed by a = program prepared by you . >=20 > If the user changes / or uses a different computer , he/she should = supply a signature of the computer . =20 >=20 > Here , important point is that , always you should verify that you are = communicating the real user , not a faked user in behalf of the real = user . >=20 > For the stolen program/codes , prepare a new program and ship to the = user . Thats an interesting approach but becomes difficult to use when = traveling as you have no idea what computer you will be able to use = today until you get to it. Then you might have only a few minutes = access to it before moving on. >=20 > Another idea may be the following : >=20 > Assume the user computer is NOT captured by a criminal bandit . >=20 > On subscription , send to the user a square bar code printed on a card = like credit card having a very long code specifically prepared for the = user . > On login , the user will show this card to the camera of the computer = and will be transmitted to your system . In your system , it will be = decoded , and it will be used to identify the user with his/her password = . >=20 > If this application is used , it may not be necessary to send the = users a special login program prepared for each of them . >=20 This idea shows a lot of promise. I have to figure out how to tie it = into mail, web etc. There is libqrencode for creating the QR images. I = am downloading it now. =20 -- Doug