fP-Tech's bio-metrics
Bob Rasmussen
ras at anzio.com
Fri Jun 4 13:47:01 PDT 2004
On Thu, 3 Jun 2004, Walter Vaughan wrote:
> If I were Bob Rassmussen, I'd just add in API's from different finger scanners
> (I found several online) and add it into AnzioWin and call it AnzioWinID
> (whatever) and have a solution that doesn't require changes to any code nor
> require fpGI.
I've thought about it. One question, though, is: how good is the security?
As long as the host system (the telnetd) is requiring only a username and
password, it will not know whether the password came from a user typing it
in (in which case it might be stolen), or from the an authentication
device. Furthermore, good security that involves biometrics uses it as
only one factor in a multi-factor authentication. You should, for instance
ALSO require a password. Maybe this could be done at the PC level, by my
point remains.
There are, though, some other ways to go with this, particularly if SSH is
being used. Following are my admittedly sketchy understandings of some
possibilities:
1. The sshd can be configured to allow or require authentication through
an external device, possibly in addition to a password and/or a private
key. I could explore this.
2. There is a whole area of "trust relationships" and "single sign-on".
The Windows PC that is initiating the connection can be set up with a
domain controller (DC). Then, when a user logs in to the PC as a
particular user, they must authenticate to the DC, which is a special
server on the network. This authentication process could concievably
include biometrics. Once that is done, we need a way to authenticate to
Unix/Linux, where fP is running, based on a trust relationship between the
Unix server and the DC. I have been told that this can be done through
Kerberos. That also is an area I need to explore further.
As always, if someone is interested in pushing forward on this, I'd be
glad to work with them.
Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.
personal e-mail: ras at anzio.com
company e-mail: rsi at anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com
More information about the Filepro-list
mailing list