Client Authentication

[Polytropon]

On Sun, 24 Mar 2013 01:16:33 -0700, Doug Hardie wrote:
> 
> On 24 March 2013, at 01:03, CeDeROM <cederom at tlen.pl> wrote:
> 
> > Why don't you just use PKI for authentication (you can generate your
> > own certificates)? You can easily upload keys/certificated to client
> > machines (PC, Android, Apple, ...). That should work :-)
> > 
> 
> Thats exactly what I have been testing.  Its easy in concept, but
> there are issues in the details.  Once the certificate is loaded
> in a Mac and the password entered, its available for anyone to use
> thereafter.  You actually have to remove the certificate from the
> keychain to disable it.  Not a great approach for shared computers.

Wouldn't there be a possibility to combine key _and_ password?
The key shouldn't have to be removed, but it should only work
with a password (which again is kept individual to each user).
The process has to be made "more uncomfortable" to be secure,
i. e., the password should _not_ be stored, instead it _has_
to be entered every time the secure connection is to be used.
If a different user gets his hands on a running session (in
terms of user-separation or profiles on a particular machine),
he won't be able to do anything with mail as he does not know
the password, and the password will not be automatically
provided for the sake of being "less complicated".

I don't know your particular end user machine settings, so this
is just a broad suggestion. Many things in this idea depend on
what software the client systems use, and how this software
actually deals with security-related settings and procedures.




-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...