On Monday, May 27, 2002, at 05:20 PM, Ray Strode wrote:
We were thinking about putting a unique DSA private key (without a
passphrase) onto each flash disk. That would be the unique identifier
for
each cash register, using DSA private/public authentication for the
login
into an SSH account on the server. This should work out great because
it
would be nearly impossible to spoof, and cash registers cannot
accidentally
log into the wrong SSH account.
Okay I have some questions first about the setup. How are cashier's
logged in? This is a question concerning the server software. Is it
just a normal server and regular telnetd is running? If so we can just
use ssh as a drop-in replacement. Does it have it's own proprietary
telnet server running? If so we are going to have to setup an ssh
tunnel.
Because we are on a private WAN, we use standard telnet. Counterpoint
has its own authentication for each user. We need a register OS capable
of SSH or Telnetting to a standard telnet or ssh server running on the
server. The OS then has to handle the terminal sequences, emulations,
and pass through printing. Specific .bash_profile settings are made for
each user to be sure they go where they are supposed to and stay there.
Once they login via telnet, the login for Counterpoint is the first
thing they see.
Now questions about your purposal. Is each ssh account tied to the
register or cashier? This is sort of related to paragraph above. E.G.
Is cashier authentication and authorization being handled by
counterpoint or by the server running counterpoint? If counterpoint
doesn't handle cashier authentication on its own then we should probably
associate a password with each key. If we do assign a password to each
key, I do /NOT/ think ssh-agent would be a good idea.
So are we going to be running login on the registers? I don't see the
point, all though if counterpoint doesn't support cashier authentication
then we should probably write a small frontend (curses) for ssh.
See above, I think. Double authentication for each register: server
authentication for the sss/telnet session and application authentication
to get in to the Program.
For further control we could tie the SSH account and keypair to a
static IP
address (also embedded in the flash disk).
I only like that idea if the ssh accounts are tied to registers and not
cashiers. In other words, I don't think it would be too great if a
cashier could only use one register on the whole system.
Excellent point. Well observed. I think that the ssh accounts would be
tied to each register.
Perhaps we could also have the server enforce logins from that IP,
account and
keypair only from a certain MAC address.
MAC address spoofing is so trivial, I don't see any added security from
doing this.
If it doesn't intrude on helping others at the installfest, I'll have
the application on a server I'll bring.
scott
