alfs authentication protocol: assumptions

pak_lfs at freemail.gr pak_lfs at freemail.gr
Mon Nov 28 07:44:51 PST 2005


Jeremy Huntwork wrote:
> > 4. Either the IP or the DNS name (or both, of course) must be static, or
> > change veeeeeery rarely.
>
> Hmm. This one I'm not so sure about. I would want my alfsd servers to
> accept only connections from me, but I'd want to initiate that session
> from any client *I* happen to be using on the network, using dhcp or
> not, having a fqdn or not.

Hmm, it seems I phrased it wrong. What I meant was that the *server's*
IP or hostname should remain (fairly) static, not the client's. The reason
is in the requirements. 

You only need to authenticate the server *machine*. So, if it's IP/Hostname
(at least one of the two) is pretty static, then you could make the client a 
trusted authority and use the client's private key to sign a plain SSL/TLS 
certificate for the server, with the server's private key being passwordless
(but protected by paranoid file permissions).

On the other hand, in the client's case, we  try to authenticate *the user
running the client program* and we don't care much about the machine,
so there is no problem about DNS, IPs or whatever. Just know the password
and you will  get in whether your laptop is at home or at work.

Did this cover you better?

Thanks :)
Pantelis

____________________________________________________________________
http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
http://www.freemail.gr - free email service for the Greek-speaking.



More information about the alfs-discuss mailing list