Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP/SFTP big-picture questions

At 12:30 AM +0200 6/28/06, Ansgar -59cobalt- Wiechers wrote:
On 2006-06-27 Dan Shoop wrote: 
 But passwords are always going to be weak. Soultion? Don't use
 passwords. Use keys instead. Now they can't post-it-note them.


These keys should not go unprotected, though, because someone may manage
to snatch a copy of it. One way to protect the keys while minimizing the
impact for the user is to use FileVault and an SSH agent.

Obviiously. But key's are normally already protected through access to the filesystem they're held on. This is adequate for addressing the posters problem.

[...]
Or use some biometric as the "password" data. 

I usually recommend against using biometrics for authentication purposes
for two reasons:

1) FAR/FRR tradeoff
   It's not possible to eliminate false rejects without dramatically
   increasing false accepts (which would be a security risk).
2) Compromised tokens
   How do you handle situations where biometric tokens get compromised
   (like an attacker manages to fake an employee's fingerprint)? Remove
   the finger? You have only a very limited amount of biometric tokens
   to chose from.

A "biometric token" is something like my iris or my thumb. If it's compromised then that means someone else has my iris or thumb. That means it no longer is mine and is no longer a token I can use so just like an other token it needs replaced.

As for spoofing or false-positive issues this isn't the fault of the token but the authenticator. The token (e.g. my iris) is quite good enough already.
--

-dhan

------------------------------------------------------------------------
Dan Shoop                                                   AIM: iWiring
Systems & Networks Architect                      http://www.ustsvs.com/
email@hidden                                http://www.iwiring.net/
1-714-363-1174

pgp key fingerprint: FAC0 9434 B5A5 24A8 D0AF  12B1 7840 3BE7 3736 DE0B

iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >FTP/SFTP big-picture questions (From: "Mac OS X Server Administrator" <email@hidden>)
 >Re: FTP/SFTP big-picture questions (From: Dan Shoop <email@hidden>)
 >Re: FTP/SFTP big-picture questions (From: Ansgar -59cobalt- Wiechers <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.