[lug] How to implement Authentication on Disparate OS?

Bear Giles bgiles at coyotesong.com
Fri Jul 15 09:13:18 MDT 2011 

Authentication is a deep problem so you definitely want to build on top of
something that already exists - don't just toss in a few calls to a crypto
library and call it a day. Even a minimal system needs to be able to handle
sniffing, man-in-the-middle and replay attacks. That's not even the full
list, e.g., denial-of-service attacks or DNS cache poisoning or countless
other things.

If you still want to do it from scratch (or this is a homework problem) look
at the Kerberos protocol. It's been used on multiple OS for years and
Microsoft "enhanced" it for AD.


On Fri, Jul 15, 2011 at 8:23 AM, Lori Reed <lorireed at lightning-rose.com>wrote:

> On 07/14/2011 09:57 PM, Davide Del Vento wrote:
> > Machine A must have something that the spoofer can't have. E.g. a
> > private key with which something is signed and send to Machine, who
> > verify it's coming from A using A's public key.
>
> I'm no security wonk, but shouldn't the data itself be encrypted to
> defeat packet sniffing, and wouldn't that solve the original problem as
> stated?
>
> Lori
>
> > On Thu, Jul 14, 2011 at 20:34,<siegfried at heintze.com>  wrote:
> >> Can someone suggest what I might google search for to learn how to
> implement
> >> a secure connection between two machines?
> >> Machine A is running freebsd and an application written in perl that
> needs
> >> to record a ticket in a database on machine B.
> >> Presently, machine A is sending the username and other information thru
> a
> >> perl socket to machine B. Machine B records the information, including
> the
> >> username in a database. If you have the perl source code running on
> machine
> >> A, it is pretty easy to spoof machine B into thinking you are someone
> else
> >> when you submit the ticket.
> >> How would I subvert a would be spoofer?
> >>
> >> What features are available in freebsd or Linux that could make this
> secure?
> >> Let's assume these machines are on the same domain controller.
> >> Now what if machine B is a windows machine? (Can linux or freebsd
> >> authenticate with a windows domain controller? I think they can.)
> >> I think SAMBA supports windows named pipes. Is this a possibility? I
> don't
> >> even know what to google search for.
> >> Thanks,
> >> Siegfried
> >>
> >> _______________________________________________
> >> Web Page:  http://lug.boulder.co.us
> >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety
> >>
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
> >
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20110715/b24e41da/attachment.html>

More information about the LUG mailing list