Re: s/key authentication for Apache on FreeBSD?
From: Andrew Kenneth Milton (akm_at_theinternet.com.au)
Date: 12/11/03
- Previous message: Brett Glass: "Re: s/key authentication for Apache on FreeBSD?"
- In reply to: Brett Glass: "Re: s/key authentication for Apache on FreeBSD?"
- Next in thread: Radu-Mihail Obada: "Re: s/key authentication for Apache on FreeBSD?"
- Reply: Radu-Mihail Obada: "Re: s/key authentication for Apache on FreeBSD?"
- Reply: Brett Glass: "Re: s/key authentication for Apache on FreeBSD?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Dec 2003 18:33:37 +1100 To: Brett Glass <brett@lariat.org>
+-------[ Brett Glass ]----------------------
| An excellent reason to use SSL together with S/key.
I'm not sure about the physical setup you have, but, here goes.
Why don't you issue certificates to each user, that have a fixed life span,
say a week (or day or a few hours), and avoid the password thing altogether?
If you can generate pieces of paper to hand out, you can generate a
certificate per user that get assigned / refreshed before they leave.
You could even just revoke the certificate if/when lost, if the assignment
of a new certificate is overly burdensome.
Once the certificate is revoked even having physical possession of the palm
pilot won't give you access. There's no passwords to write down, and there's
no user interactions to sniff/log.
You should be able to use a certificate at a cafe via floppy/cd/USB key (I
guess, I've never been to one), if this is the normal usage pattern, I'd be
making the lifespan of the certs very small.
-- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | M:+61 416 022 411 | ACN: 082 081 472 ABN: 83 082 081 472 |akm@theinternet.com.au| Carpe Daemon _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Brett Glass: "Re: s/key authentication for Apache on FreeBSD?"
- In reply to: Brett Glass: "Re: s/key authentication for Apache on FreeBSD?"
- Next in thread: Radu-Mihail Obada: "Re: s/key authentication for Apache on FreeBSD?"
- Reply: Radu-Mihail Obada: "Re: s/key authentication for Apache on FreeBSD?"
- Reply: Brett Glass: "Re: s/key authentication for Apache on FreeBSD?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
