Client Authentication
Mehmet Erol Sanliturk
m.e.sanliturk at gmail.com
Sun Mar 24 06:06:45 UTC 2013
On Sat, Mar 23, 2013 at 10:16 PM, Doug Hardie <bc979 at lafn.org> wrote:
>
> On 23 March 2013, at 21:51, Mehmet Erol Sanliturk <m.e.sanliturk at gmail.com>
> wrote:
>
> >
> > Using Static IP in the client side , and checking Static IP of the user
> may be a possibility :
> > In that way , any message from another IP will not be accepted .
> >
> > If this is possible for your systems , it may be checked for usability .
> >
> > One difficulty is that each user should obtain a Static IP and can not
> connect to his/her ISP from another IP .
> >
> > Good side is that nobody can connect to ISP of the user from another IP
> : It supplies hardware security ( we are assuming that the user computer is
> not captured ) ..
>
> That is an interesting idea, but unfortunately our users tend to travel a
> lot and need to be able to access mail from anywhere. Also, static IPs can
> get quite expensive from some ISPs. Our users are pretty much on fixed
> incomes and any expense is a hardship for them.
>
> -- Doug
>
>
The following steps may be another idea :
Assume that you supply to your users a small login program prepared for
them specifically ( since you are using SSH ) :
Compile that program for each user with a special identifier for him/her
and ship this program to your user and require that the login will be
performed by this program . This program will send a very long code to
your system with user password which is only known to you and to your user
. Since external users will not know this code , they will not be able to
login into their accounts by using only password .
This will also easily identify fake login trials : It is very obvious that
to estimate a very long code will require a large number of tries : If code
fails , it means that login trial is from a fake user .
If password fails , it may be allowed a fixed number of trials ( The banks
are allowing only TWO failed passwords , on third , a new attempt can be
made after 24 hours , in Turkey ) .
This program may also additionally send computer signature to your system
which is previously send to you on subscription computed by a program
prepared by you .
If the user changes / or uses a different computer , he/she should supply
a signature of the computer .
Here , important point is that , always you should verify that you are
communicating the real user , not a faked user in behalf of the real user .
For the stolen program/codes , prepare a new program and ship to the user .
Another idea may be the following :
Assume the user computer is NOT captured by a criminal bandit .
On subscription , send to the user a square bar code printed on a card like
credit card having a very long code specifically prepared for the user .
On login , the user will show this card to the camera of the computer and
will be transmitted to your system . In your system , it will be decoded ,
and it will be used to identify the user with his/her password .
If this application is used , it may not be necessary to send the users a
special login program prepared for each of them .
Thank you very much .
Mehmet ERol Sanliturk
More information about the freebsd-questions
mailing list