Re: Client Authentication
On Sat, Mar 23, 2013 at 10:16 PM, Doug Hardie wrote: > > On 23 March 2013, at 21:51, Mehmet Erol Sanliturk > wrote: > > > > > Using Static IP in the client side , and checking Static IP of the user > may be a possibility : > > In that way , any message from another IP will not be accepted . > > > > If this is possible for your systems , it may be checked for usability . > > > > One difficulty is that each user should obtain a Static IP and can not > connect to his/her ISP from another IP . > > > > Good side is that nobody can connect to ISP of the user from another IP > : It supplies hardware security ( we are assuming that the user computer is > not captured ) .. > > That is an interesting idea, but unfortunately our users tend to travel a > lot and need to be able to access mail from anywhere. Also, static IPs can > get quite expensive from some ISPs. Our users are pretty much on fixed > incomes and any expense is a hardship for them. > > -- Doug > > The following steps may be another idea : Assume that you supply to your users a small login program prepared for them specifically ( since you are using SSH ) : Compile that program for each user with a special identifier for him/her and ship this program to your user and require that the login will be performed by this program . This program will send a very long code to your system with user password which is only known to you and to your user . Since external users will not know this code , they will not be able to login into their accounts by using only password . This will also easily identify fake login trials : It is very obvious that to estimate a very long code will require a large number of tries : If code fails , it means that login trial is from a fake user . If password fails , it may be allowed a fixed number of trials ( The banks are allowing only TWO failed passwords , on third , a new attempt can be made after 24 hours , in Turkey ) . This program may also additionally send computer signature to your system which is previously send to you on subscription computed by a program prepared by you . If the user changes / or uses a different computer , he/she should supply a signature of the computer . Here , important point is that , always you should verify that you are communicating the real user , not a faked user in behalf of the real user . For the stolen program/codes , prepare a new program and ship to the user . Another idea may be the following : Assume the user computer is NOT captured by a criminal bandit . On subscription , send to the user a square bar code printed on a card like credit card having a very long code specifically prepared for the user . On login , the user will show this card to the camera of the computer and will be transmitted to your system . In your system , it will be decoded , and it will be used to identify the user with his/her password . If this application is used , it may not be necessary to send the users a special login program prepared for each of them . Thank you very much . Mehmet ERol Sanliturk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Client Authentication
On 23 March 2013, at 21:51, Mehmet Erol Sanliturk wrote: > > Using Static IP in the client side , and checking Static IP of the user may > be a possibility : > In that way , any message from another IP will not be accepted . > > If this is possible for your systems , it may be checked for usability . > > One difficulty is that each user should obtain a Static IP and can not > connect to his/her ISP from another IP . > > Good side is that nobody can connect to ISP of the user from another IP : It > supplies hardware security ( we are assuming that the user computer is not > captured ) .. That is an interesting idea, but unfortunately our users tend to travel a lot and need to be able to access mail from anywhere. Also, static IPs can get quite expensive from some ISPs. Our users are pretty much on fixed incomes and any expense is a hardship for them. -- Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Client Authentication
On Sat, Mar 23, 2013 at 9:22 PM, Doug Hardie wrote: > I am not sure this is the best place to ask this, but I didn't see any > other maillists that seemed more appropriate. > > Basically, my outgoing mail server is being systematically attacked to try > passwords looking for one that works. When they do find one, we get > inundated by spam sent through that account throughout the world. The > situation is such that most of our users are older and their computer is a > hand-me-down so they can talk to their grandchildren. Passwords are a > great inconvenience for them and create numerous problems with remembering > them even when they are simple. Unfortunately, most of them are quite easy > to guess. > > Telling users to use more appropriate passwords is a complete waste of my > time. Its never going to make any changes as they probably would not > remember any other password (or where they wrote down the password). This > situation requires a technical solution. > > I have been investigating the use of client authentication through SSL. > DoD uses this approach by having the certificates on an ID card and a card > reader on each computer. We don't have the money to use that approach no > could we every get our users to spring for that. I was hoping to figure > out a way to put the certificate on a flash drive or CD that the user would > carry. The approach we use has to also work for iPads, smart phones etc > that do not have an interface for a card reader. > > At this time, I have successfully configured a test for openssl client > authentication using a client certificate. There are a few issues > remaining. DoD uses a p12 format for their certificates. Many browsers > support that format. It encrypts the certificate and private key so they > are not easily obtained from the smart card. Openssl's s_client uses pem > certificates and the key has to be included in the certificate file. While > that is easily transported on CD or flash drive, the private key is in the > clear on the device. Thats not really viable. > > S_client works properly without a certificate when the certificate check > in the server is set to not fail if a certificate is not provided. This is > needed because we will never get all our users to use this approach at > home. They will still want to use passwords. Since the certificate > request is made before the connection information is available, there is no > easy way to request it only when needed. I have only been able to test > with the Safari browser and it does not handle the no certificate case > properly. I believe it is dropping the connection when the user does not > select a certificate. I still have to test the other browsers. > > There is an interesting aspect of openssl that the certificate it uses for > normal SSL authentication is not used for client authentication. There are > another completely different set of calls that have to be made to set the > certificate/key for use in validating the client certificates. Much of > this is only documented in existing code. > > With Safari you have to import the client's certificate into the keychain. > Then it works fine. Unfortunately, it doesn't go away when you are done > with it. Unlike the smart card which, when removed, removes the > certificate, the Safari certificate can continue to be used by anyone > afterwards. Hence, its not all that useful for authentication. One > approach I have heard about, but not investigated yet is to place the > keychain on the removable device. That would make it go away. However, > that approach would not work with any other browser or mail program. > > Any ideas/suggestions on this will be appreciated. Thanks, > > -- Doug > Using Static IP in the client side , and checking Static IP of the user may be a possibility : In that way , any message from another IP will not be accepted . If this is possible for your systems , it may be checked for usability . One difficulty is that each user should obtain a Static IP and can not connect to his/her ISP from another IP . Good side is that nobody can connect to ISP of the user from another IP : It supplies hardware security ( we are assuming that the user computer is not captured ) .. Thank you very much . Mehmet Erol Sanliturk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Client Authentication
I am not sure this is the best place to ask this, but I didn't see any other maillists that seemed more appropriate. Basically, my outgoing mail server is being systematically attacked to try passwords looking for one that works. When they do find one, we get inundated by spam sent through that account throughout the world. The situation is such that most of our users are older and their computer is a hand-me-down so they can talk to their grandchildren. Passwords are a great inconvenience for them and create numerous problems with remembering them even when they are simple. Unfortunately, most of them are quite easy to guess. Telling users to use more appropriate passwords is a complete waste of my time. Its never going to make any changes as they probably would not remember any other password (or where they wrote down the password). This situation requires a technical solution. I have been investigating the use of client authentication through SSL. DoD uses this approach by having the certificates on an ID card and a card reader on each computer. We don't have the money to use that approach no could we every get our users to spring for that. I was hoping to figure out a way to put the certificate on a flash drive or CD that the user would carry. The approach we use has to also work for iPads, smart phones etc that do not have an interface for a card reader. At this time, I have successfully configured a test for openssl client authentication using a client certificate. There are a few issues remaining. DoD uses a p12 format for their certificates. Many browsers support that format. It encrypts the certificate and private key so they are not easily obtained from the smart card. Openssl's s_client uses pem certificates and the key has to be included in the certificate file. While that is easily transported on CD or flash drive, the private key is in the clear on the device. Thats not really viable. S_client works properly without a certificate when the certificate check in the server is set to not fail if a certificate is not provided. This is needed because we will never get all our users to use this approach at home. They will still want to use passwords. Since the certificate request is made before the connection information is available, there is no easy way to request it only when needed. I have only been able to test with the Safari browser and it does not handle the no certificate case properly. I believe it is dropping the connection when the user does not select a certificate. I still have to test the other browsers. There is an interesting aspect of openssl that the certificate it uses for normal SSL authentication is not used for client authentication. There are another completely different set of calls that have to be made to set the certificate/key for use in validating the client certificates. Much of this is only documented in existing code. With Safari you have to import the client's certificate into the keychain. Then it works fine. Unfortunately, it doesn't go away when you are done with it. Unlike the smart card which, when removed, removes the certificate, the Safari certificate can continue to be used by anyone afterwards. Hence, its not all that useful for authentication. One approach I have heard about, but not investigated yet is to place the keychain on the removable device. That would make it go away. However, that approach would not work with any other browser or mail program. Any ideas/suggestions on this will be appreciated. Thanks, -- Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
skype
Hi! My system: FreeBSD 9.1-RELEASE #0 r243826: Tue Dec 4 06:55:39 UTC 2012 r...@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 and I use Skype 2.1.0.81 from ports. When I am using Skype, the conversation often (every 1-5 minutes) gets disconnected or better I hear but the other side doesn't hear me. I know that long time ago the line kern.hz="100" in loader.conf help me but it doesn't work anymore. I start using my Androind phone and I don't have any problem. The friend also talking with people from Europe and USA which they have Linux or Windows and it works. Thanks in advance... Mitja -- http://www.redbubble.com/people/lumiwa ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Don't replay to spam
On Sat, 23 Mar 2013, CyberLeo Kitsana wrote: On 03/23/2013 01:20 AM, Ralf Mardorf wrote: The original "trying freeBSD 9.1 [...]" mail is spam, since the original message had a "signature" about face lifting or something like that. Take a look at http://lists.freebsd.org/pipermail/freebsd-questions/2013-March/249992.html Once you visited the page from the link in the signature, you even can't leave this page. It's hard to train spam filters, if people reply to spam. That spam sig appears to be NetZero appending advertisements to legitimate outgoing messages. I doubt the OP has much control over that behaviour; especially if that happens to be their ISP. I agree, but what the OP can do is use a proper sig which begins in the first column with a hyphen followed by another hyphen, a space, and a newline. That will not prevent the service provider from appending the ad, but it will make it possible for many (most? all?) mail readers to hide the sig (and everything after it) if the user so desires. -- Lars Eighner http://www.larseighner.com/index.html 8800 N IH35 APT 1191 AUSTIN TX 78753-5266 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Don't replay to spam
On 03/23/2013 01:20 AM, Ralf Mardorf wrote: > The original "trying freeBSD 9.1 [...]" mail is spam, since the original > message had a "signature" about face lifting or something like that. > > Take a look at > http://lists.freebsd.org/pipermail/freebsd-questions/2013-March/249992.html > > Once you visited the page from the link in the signature, you even can't > leave this page. > > It's hard to train spam filters, if people reply to spam. That spam sig appears to be NetZero appending advertisements to legitimate outgoing messages. I doubt the OP has much control over that behaviour; especially if that happens to be their ISP. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://.fur.com/peace/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Current motherboard recommendations?
At 13:51 3/23/2013, Joshua Isom wrote: >I'm planning on getting a new motherboard and ram. I'm keeping the >processor so it'll have to be an AMD board. What manufacturers tend to >be best, with bios/ufi support and chipset support? Is there anything >to avoid? Gigabyte works for me. Start Here to Find It Fast! -> http://www.US-Webmasters.com/best-start-page/ $9.99 Domain Names -> http://domains.us-webmasters.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Current motherboard recommendations?
I'm planning on getting a new motherboard and ram. I'm keeping the processor so it'll have to be an AMD board. What manufacturers tend to be best, with bios/ufi support and chipset support? Is there anything to avoid? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
[listoso.com] new producst list of tab computer
To: freebsd-questions@freebsd.org via listoso.com Good Moring, What's a great day! Greetings from Sammy, sales manager of The compony name with great experience with tablet pc.. I send this mails because I see you on http://es.listoso.com/freebsd-questions/2012-05/msg00805.html, and get the idea that you are doing business on tablet pc.I amvery excited to tell you that we are manufactuaer of tablet pc. As for tablet pc, Only 43$ tablet pc. senven inch, 512m, For Android phone, now we have a 100 percent ofof galaxy s3 copy.We also have Samsung note and note2. If you want to get our full product list with photos and specifictions, please just reply this mail. Thanks! Best regardsChuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No sound with Thinkpad X60
Friday, 22 March 2013 at 12:30:37 -0400, Lowell Gilbert said: > Jerry writes: > > > On Fri, 22 Mar 2013 06:28:57 +0100 > > Bernt Hansson articulated: > > > >> 2013-03-22 00:42, Peter Harrison skrev: > >> > >> Put this in your /boot/loader.conf and report back. > >> > >> hw.snd.default_unit="0" > >> > >> Test with other nubers if 0 do not work. > > > > Using an nVidia card, I had to do the following: > > > > /etc/sysctl.conf > > hw.snd.default_unit=4 > > > > Rebooted and the sound worked. I never found any truly accurate > > information on it, it was basically just a trail and error experiment. > > And YES, it sucks that in all to many cases, sound doesn't "just work". > > You don't actually need to reboot for each trial. Running sysctl(8) from > the command line will do. And /dev/sndstat would probably tell you the > right value to try. These things are covered in the Handbook.. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Indeed. I've been faffing around with various sysctl settings from the command line without rebooting. As I mentioned in a slightly earlier email though, it's working now - although I can't figure out why, it is. Thanks for your help. Peter Harrison. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No sound with Thinkpad X60
Friday, 22 March 2013 at 6:28:57 +0100, Bernt Hansson said: > 2013-03-22 00:42, Peter Harrison skrev: > > Put this in your /boot/loader.conf and report back. > > hw.snd.default_unit="0" > > Test with other nubers if 0 do not work. Thanks Bernt. Here's the relevant bit of rc.conf snddetect_enable="YES" mixer_enable="YES" and I have snd_hda_load="YES" in my loader.conf, so shouldn't need the sound_enable you suggested I think? I also have this in my device.hints: hint.hdac.0.cad0nid7.config="as=1" but I think that's a typo and there should be an extra period in there somewhere That said, I'm not going to change anything because all of a sudden and for no reason that I can figure out, it is now working. I have sound. Go figure. Thanks for your help. Peter Harrison. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Attaching GELI device on boot
Hey, i've got a problem attaching a geli device on boot. My setup: ada0 and ada1 full geli setup (no partition schemes). ZFS on both. ada0 is my root device. I can boot into the system there is no problem with it. But now I want to attach ada1 on boot as well using a single keyfile. My rc.conf looks like this: ... geli_autodetach="NO" geli_devices="ada1" geli_ada1_flags="-p -k /root/ada1.key" ... The problem is that geli does not want to attach the device at first. It claims about (missing?) metadata and inappropriate file format (I dont know where geli logs this). It tries to attach the device 3 times which is the default option with no success. BUT once the system is booted up and I can login, I can manually start /etc/rc.d/geli onestart and it will successfully attach the device. So configuration seems to be fine, only the order the services started seems to be wrong (e.g. devd is being started AFTER geli tries to attach the device, why??) Also there is a problem with sabnzbd which is being started before the network is set-up, which is wrong as well. Here is my full rc.conf: hostname="freebsd" ifconfig_nfe0="DHCP" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="NO" devd_enable="YES" devfs_enable="YES" zfs_enable="YES" rpcbind_enable="YES" nfs_server_enable="YES" mountd_flags="-r" linux_enable="YES" dbus_enable="YES" hald_enable="YES" powerd_flags="-a adp" sshd_enable="YES" sabnzbd_user="sts" sabnzbd_group="sts" sabnzbd_conf_dir="/usr/home/sts/.sabnzbd" sabnzbd_enable="YES" geli_autodetach="NO" geli_devices="ada1" geli_ada1_flags="-p -k /root/ada1.key" I hope somebody can help me, Stephan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
security/heimdal generates openssl conflict [was - Re: Installing openssl from ports]
On 23/03/2013 00:21, Jim Ballantine wrote: Both openssl and heimdal install fine from the base system src, it's only when I try to install openssl from the ports, with heimdal installed by the base system that I get the error. When I run make install, what I get before the conflict message is: ===> Compressing manual pages for openssl-1.0.1_8zopenssl-1.0.1_8 ===> Running ldconfig /sbin/ldconfig -m /usr/local/lib Installing openssl-1.0.1_8...pkg: openssl-1.0.1_8 conflicts with heimdal-1.5.2_4 (installs files into the same place). Problematic files: /usr/local/man/man3/DH_generate_key.3.gz > *** [fale-pkg] Error code 70 I'll make the subject a bit more descriptive and cc the heimdal maintainer. The error appears to be generated by pkg and would indicate that you have installed heimdal from ports. heimdal uses libcrypto from openssl and may have been installed as a dependency for another port. The base system doesn't install into /usr/local and pkg shouldn't monitor any files installed by the base system, so the conflict with /usr/local/man/man3/DH_generate_key.3.gz must be from the heimdal port. I just tried a compile of heimdal within tinderbox where I have set WITH_OPENSSL_PORT=true and the log for the heimdal indicates that it deletes man pages installed by security/openssl. So either heimdal installs a duplicate copy of the openssl man pages or it erroneously includes the man pages in it's package list generation. part of tinderbox log - ===> Building package for heimdal-1.5.2_4 Deleting heimdal-1.5.2_4 === Checking filesystem state list of files present before this port was installed but missing after it was deinstalled) ./usr/local/man/man3/DES_cbc_cksum.3.gz missing ./usr/local/man/man3/DH_free.3.gz missing ./usr/local/man/man3/DH_generate_key.3.gz missing ./usr/local/man/man3/DH_get_default_method.3.gz missing ./usr/local/man/man3/RSA_new.3.gz missing ./usr/local/man/man3/RSA_new_method.3.gz missing ./usr/local/man/man3/RSA_set_method.3.gz missing Deleting sqlite3-3.7.14.1 Deleting openssl-1.0.1_8 pkg_delete: file '/usr/local/man/man3/DH_generate_key.3.gz' doesn't exist pkg_delete: file '/usr/local/man/man3/DH_new.3.gz' doesn't exist pkg_delete: file '/usr/local/man/man3/DH_set_method.3.gz' doesn't exist pkg_delete: file '/usr/local/man/man3/DES_set_odd_parity.3.gz' doesn't exist pkg_delete: file '/usr/local/man/man3/DES_string_to_key.3.gz' doesn't exist pkg_delete: couldn't entirely delete package `openssl-1.0.1_8' (perhaps the packing list is incorrectly specified?) Deleting libtool-2.4.2 Deleting libXt-1.1.1,1 Deleting db41-4.1.25_4 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
