-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Linux Autrement wrote: > On Mon, 2002-10-07 at 23:38, David Johnston wrote: > >>1. Ideally, we could use IPSec to authenticate each *workstation* long
Right. (see below, however) >>before we ask for names or passwords. However, each workstation starts >>up without a key every time it starts (it either builds one, or gets it >>from a central server somehow). I think this means that we cannot use It would almost need to retrieve it from the server. This cannot be done securely, unless the workstation has a way to build an encrypted tunnel with the server (ala stunnel or similar) before it downloads its secret key/certificate. The real question is whether or not the workstation is really who the workstation claims to be. >>the IPSec keys to authenticate the workstation. How can we prove that >>the workstation isn't an outsider trying to get into our network? Exactly. (also see below) >> >>2. How can we prevent man-in-the-middle attacks? Is it possible without >>workstation authentication? Nope. > > > But surely we do have some form of workstation authentication, the DHCP > server can be configured to respond only to known MACs, and do nothing > for others. Unfortunately, MAC addresses can be spoofed. :( Once I know your MAC address, I can assign it to my network interface and then use that to request a DHCP IP address. That's why the key needs to be secured somewhere on the workstation (i.e., some form of secondary storage) in order to authenticate itself to the server when requesting anything after the kernel and initial ramdisk. The kernel and initial ramdisk would need to be sent down. The initial ramdisk would then retrieve the certificate for the workstation from the workstation itself and establish the IPSec tunnel between the workstation and the server. All traffic would be sent from the workstation to the server at that point through that tunnel. I suppose the server would need to be a "gateway" for all the workstations that connect to it, so that increases the resources necessary for the server and puts more network load on the server. - -- Jason A. Pattie [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9ovaBuYsUrHkpYtARAmBMAJ9uQzoxdXbeQ2KXehcWllUVzuBJdwCeKIvj x2OLy+7zTTrfA0QnzKfqztU= =03vJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net
