On 07/15/2009 01:08 PM, john wrote:
So are the following correct?:
(1) I can create a single cert for a computer and distribute it to all
users who may use that computer
(2) I can create a cert for every user and distribute it to every
computer that a user logs into.
(3) I cannot create a generic "computer cert" that authenticates the
computer and opens the port?
Think long and hard about what you want authentication to accomplish
from a security standpoint, then worry about the implementation details.
Ask the question "Who are you authenticating?" or "What has permission
to use the network?" Am I trying to restrict access to a specific set of
users or am I trying to restrict access to a specific set of machines?
If it's the later does that mean anyone who sits down at that machine
has access?
In a very very simplified view a certificate is nothing more than a
password. Would you give the same password to every user? Would you put
that password on every machine?
What you're learning is that certificate management is complex and often
requires additional certificate management support.
If you want users to be authenticated no matter what machine they are
logging in from *and* you want to use certificates as opposed to
passwords, you essentially have two choices.
1) The user is in physical possession of the certificate, he carries it
from machine to machine. This is the smart card (i.e. token) solution.
To protect against theft or loss of the token the use has to unlock the
token using a password upon insertion of the token in the device.
2) The per user certificate is stored in a central location where only
the user can access it. Usually this requires OS support and another
layer of authentication.
If you want to do machine authentication then per machine certificates
must be generated and distributed (which is where your question began).
There is no easy secure way to do this for a large number of devices in
the absence of sophisticated certificate management software, this is
why certificate management software is a growth industry.
I'm not a Windows guy, but my understanding is that Microsoft offers
(expensive) solutions. In the Linux world you might consider DogTag
(http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same
certificate management system used by the DoD (Dept of Defense) and
other high profile organizations which Red Hat has generously made
available as open source after it's acquisition from Netscape.
Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which
allows users and computers in a Microsoft Windows domain to
automatically enroll for certificates issued from Certificate System.
Of course if you don't want to deal with the complexity of certificate
based authentication you could just use passwords. Passwords are much
less secure, but much simpler.
--
John Dennis <[email protected]>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
