[Beowulf] Re: "hobbyists"es

[malcolm croucher]

What about fingerprint readers ..... My brothers got one on his lap top ....
very small , neat and it must work quite well becuase i have tried to use it
but can never log on .

On Thu, Oct 23, 2008 at 8:42 AM, Leif Nixon <nixon at nsc.liu.se> wrote:

> [reviving a really old thread - sorry]
>
> "Perry E. Metzger" <perry at piermont.com> writes:
>
> > "Robert G. Brown" <rgb at phy.duke.edu> writes:
> >>> If they can't use public key auth, give 'em secure ids or something
> >>> similar. Works fine or such purposes. Passwords are dead.
> >>
> >> Yeah, Bill Gates (among others) said something like that back in 2004.
> >> I confess to being deeply skeptical.  Really.  The SecureID solution has
> >> been around for a long time at this point.  It was a PITA a decade ago.
> >> It is a PITA now.  Expensive, too.
> >
> > It is neither. I use SecureIDs quite regularly and it isn't difficult
> > at all -- you just look at the device and type in the digits. What's
> > so hard about that? It isn't that expensive, either, but if you're
> > minimizing cost there are cheaper competitors and various
> > challenge-response devices, and even non-hardware solutions.
>
> The tokens are pretty expensive, they break, they get lost, they go
> out of clock sync, they run out of battery and need to be replaced.
> The support costs are non-negligible.
>
> [the rest of this post is a general comment, not necessarily directed
> at Perry]
>
> That said, there are interesting stuff like the YubiKey
> (http://www.yubico.com/), which is a USB token pretending to be a
> keyboard. Press a button on it, and it "types" a one-time password.
>
> Downside: it uses symmetric crypto, which essentially means you have a
> shared secret between the token and the auth server. This makes the
> auth server a fat, juicy target, and if it ever is cracked, you need
> to replace all your tokens.
>
> There are also systems that send out one-time passwords via SMS to the
> user's cellphone. Rather neat, but you do need to pay for those
> SMS:es.
>
> Soft tokens, like file based client-side certs and private ssh keys,
> are not necessarily a *huge* improvement over simple passwords. You do
> become immune against the password-guessing attacks, but private keys
> can be stolen. We see this happening. And when a private ssh key is
> stolen, it is a major headache to find all authorized_keys files that
> contain the corresponding public key.
>
> Ssh keys *can* improve your security - encrypt the private key with a
> good strong passphrase, make sure it never leaves your laptop, and
> (carefully) use ssh-agent and agent forwarding for your authentication
> needs. (And add your keys with "ssh-add -c".) However, in practice,
> this tends to be too complicated for the average user.
>
> For a reality check, run
>
>  grep -L CRYPT /home/*/.ssh/id_{r,d}sa
>
> to check how many users that have unencrypted private keys stored on
> your system.
>
> --
> Leif Nixon                       -            Systems expert
> ------------------------------------------------------------
> National Supercomputer Centre    -      Linkoping University
> ------------------------------------------------------------
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit
> http://www.beowulf.org/mailman/listinfo/beowulf
>



-- 
Malcolm A.B Croucher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.scyld.com/pipermail/beowulf/attachments/20081023/c58c00e0/attachment.html