unique hardware identification

[Mike Meyer]

In <4587F6F1.1050000 at metro.cx>, Koen Martens <fbsd at metro.cx> typed:
> Hi All,
> 
> I was wondering, if something like a unique hardware identification
> would be possible on FreeBSD.
> 
> I'd like a machine to authenticate to a server, for which it will
> need a unique identification. Problem is, it should be generated
> automatically and not easy to fake / detect without already having
> root access to the box.

At this point, you've actually described two different things:
"identifying the hardware" and "identifying to the server". The latter
just takes a string of bits that only exist in the client, like ssh
keys. Looking into something like OpenVPN's various authentication
mechanisms should give you ideas on various ways to do this.

Identifying the hardware is a bit trickier, because you have to have a
policy about what to do in the face of hardware changes, which will
influence what goes into your signature. You suggested disk serial
numbers. Does adding a disk invalidate the hardware id? Does it matter
which disk you booted from if you've got two disks in the id? Etc.

At the exterme low end, you can use an ID from something that's
trivially replacable, like an ethernet MAC. In the middle, you mix in
an id from every bit of kit that you don't want the user to be able to
change. At the extreme high end, you want to look into "Trusted
Computing", which is a technology designed to create a computer that
the content vendors will trust enough to put content on.

	<mike
-- 
Mike Meyer <mwm at mired.org>		http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.