From owner-freebsd-questions@FreeBSD.ORG Sun Mar 24 08:22:49 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 84A8D124B for ; Sun, 24 Mar 2013 08:22:49 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) by mx1.freebsd.org (Postfix) with ESMTP id 4C615386 for ; Sun, 24 Mar 2013 08:22:49 +0000 (UTC) Received: from r56.edvax.de (port-92-195-88-89.dynamic.qsc.de [92.195.88.89]) by mx01.qsc.de (Postfix) with ESMTP id A021E3CAE3; Sun, 24 Mar 2013 09:22:41 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id r2O8Mm9K003090; Sun, 24 Mar 2013 09:22:48 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Sun, 24 Mar 2013 09:22:48 +0100 From: Polytropon To: Doug Hardie Subject: Re: Client Authentication Message-Id: <20130324092248.76809163.freebsd@edvax.de> In-Reply-To: <85D3DEE2-3E4E-4B68-87B0-6B946F15581C@lafn.org> References: <85D3DEE2-3E4E-4B68-87B0-6B946F15581C@lafn.org> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: "freebsd-questions@freebsd.org List" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2013 08:22:49 -0000 On Sun, 24 Mar 2013 01:16:33 -0700, Doug Hardie wrote: > > On 24 March 2013, at 01:03, CeDeROM wrote: > > > Why don't you just use PKI for authentication (you can generate your > > own certificates)? You can easily upload keys/certificated to client > > machines (PC, Android, Apple, ...). That should work :-) > > > > Thats exactly what I have been testing. Its easy in concept, but > there are issues in the details. Once the certificate is loaded > in a Mac and the password entered, its available for anyone to use > thereafter. You actually have to remove the certificate from the > keychain to disable it. Not a great approach for shared computers. Wouldn't there be a possibility to combine key _and_ password? The key shouldn't have to be removed, but it should only work with a password (which again is kept individual to each user). The process has to be made "more uncomfortable" to be secure, i. e., the password should _not_ be stored, instead it _has_ to be entered every time the secure connection is to be used. If a different user gets his hands on a running session (in terms of user-separation or profiles on a particular machine), he won't be able to do anything with mail as he does not know the password, and the password will not be automatically provided for the sake of being "less complicated". I don't know your particular end user machine settings, so this is just a broad suggestion. Many things in this idea depend on what software the client systems use, and how this software actually deals with security-related settings and procedures. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...