> We were thinking about putting a unique DSA private key (without a > passphrase) onto each flash disk. That would be the unique identifier for > each cash register, using DSA private/public authentication for the login > into an SSH account on the server. This should work out great because it > would be nearly impossible to spoof, and cash registers cannot accidentally > log into the wrong SSH account. Okay I have some questions first about the setup. How are cashier's logged in? This is a question concerning the server software. Is it just a normal server and regular telnetd is running? If so we can just use ssh as a drop-in replacement. Does it have it's own proprietary telnet server running? If so we are going to have to setup an ssh tunnel.
Now questions about your purposal. Is each ssh account tied to the register or cashier? This is sort of related to paragraph above. E.G. Is cashier authentication and authorization being handled by counterpoint or by the server running counterpoint? If counterpoint doesn't handle cashier authentication on its own then we should probably associate a password with each key. If we do assign a password to each key, I do /NOT/ think ssh-agent would be a good idea. So are we going to be running login on the registers? I don't see the point, all though if counterpoint doesn't support cashier authentication then we should probably write a small frontend (curses) for ssh. > For further control we could tie the SSH account and keypair to a static IP > address (also embedded in the flash disk). I only like that idea if the ssh accounts are tied to registers and not cashiers. In other words, I don't think it would be too great if a cashier could only use one register on the whole system. > Perhaps we could also have the server enforce logins from that IP, account > and > keypair only from a certain MAC address. MAC address spoofing is so trivial, I don't see any added security from doing this. --Ray
