What about fingerprint readers ..... My brothers got one on his lap top .... very small , neat and it must work quite well becuase i have tried to use it but can never log on .<br><br><div class="gmail_quote">On Thu, Oct 23, 2008 at 8:42 AM, Leif Nixon <span dir="ltr"><<a href="mailto:nixon@nsc.liu.se">nixon@nsc.liu.se</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">[reviving a really old thread - sorry]<br>
<br>
"Perry E. Metzger" <<a href="mailto:perry@piermont.com">perry@piermont.com</a>> writes:<br>
<br>
> "Robert G. Brown" <<a href="mailto:rgb@phy.duke.edu">rgb@phy.duke.edu</a>> writes:<br>
>>> If they can't use public key auth, give 'em secure ids or something<br>
>>> similar. Works fine or such purposes. Passwords are dead.<br>
>><br>
>> Yeah, Bill Gates (among others) said something like that back in 2004.<br>
>> I confess to being deeply skeptical. Really. The SecureID solution has<br>
>> been around for a long time at this point. It was a PITA a decade ago.<br>
>> It is a PITA now. Expensive, too.<br>
><br>
> It is neither. I use SecureIDs quite regularly and it isn't difficult<br>
> at all -- you just look at the device and type in the digits. What's<br>
> so hard about that? It isn't that expensive, either, but if you're<br>
> minimizing cost there are cheaper competitors and various<br>
> challenge-response devices, and even non-hardware solutions.<br>
<br>
The tokens are pretty expensive, they break, they get lost, they go<br>
out of clock sync, they run out of battery and need to be replaced.<br>
The support costs are non-negligible.<br>
<br>
[the rest of this post is a general comment, not necessarily directed<br>
at Perry]<br>
<br>
That said, there are interesting stuff like the YubiKey<br>
(<a href="http://www.yubico.com/" target="_blank">http://www.yubico.com/</a>), which is a USB token pretending to be a<br>
keyboard. Press a button on it, and it "types" a one-time password.<br>
<br>
Downside: it uses symmetric crypto, which essentially means you have a<br>
shared secret between the token and the auth server. This makes the<br>
auth server a fat, juicy target, and if it ever is cracked, you need<br>
to replace all your tokens.<br>
<br>
There are also systems that send out one-time passwords via SMS to the<br>
user's cellphone. Rather neat, but you do need to pay for those<br>
SMS:es.<br>
<br>
Soft tokens, like file based client-side certs and private ssh keys,<br>
are not necessarily a *huge* improvement over simple passwords. You do<br>
become immune against the password-guessing attacks, but private keys<br>
can be stolen. We see this happening. And when a private ssh key is<br>
stolen, it is a major headache to find all authorized_keys files that<br>
contain the corresponding public key.<br>
<br>
Ssh keys *can* improve your security - encrypt the private key with a<br>
good strong passphrase, make sure it never leaves your laptop, and<br>
(carefully) use ssh-agent and agent forwarding for your authentication<br>
needs. (And add your keys with "ssh-add -c".) However, in practice,<br>
this tends to be too complicated for the average user.<br>
<br>
For a reality check, run<br>
<br>
grep -L CRYPT /home/*/.ssh/id_{r,d}sa<br>
<br>
to check how many users that have unencrypted private keys stored on<br>
your system.<br>
<font color="#888888"><br>
--<br>
Leif Nixon - Systems expert<br>
------------------------------------------------------------<br>
National Supercomputer Centre - Linkoping University<br>
------------------------------------------------------------<br>
_______________________________________________<br>
Beowulf mailing list, <a href="mailto:Beowulf@beowulf.org">Beowulf@beowulf.org</a><br>
To change your subscription (digest mode or unsubscribe) visit <a href="http://www.beowulf.org/mailman/listinfo/beowulf" target="_blank">http://www.beowulf.org/mailman/listinfo/beowulf</a><br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Malcolm A.B Croucher<br>