<html><body>
<DIV>Vance,</DIV>
<DIV>Thanks, I'm aware of this article and it's a good one, too. </DIV>
<DIV>What I'm talking about is having a private key, knowing its decryption passphrase, and authenticating when the private key and public key match... On the enterprise level, via a central auth server(s). This is very easy to do for say, ssh accounts on particular hosts. I haven't seen anything yet that does this from a centralized point.</DIV>
<DIV> </DIV>
<DIV>One benefit of this is, from my understanding, is that the passphrase would be used to check the local private key (which could be on a thumb drive). The Centralized Auth server(s) would hold a list of authorized public keys (keys are by their nature quite secure, and quite hard to fake, so far). Once there's been a match between the public and private keys, (i.e. successful authentication), then the Centralized Auth Server could then determine proper Authorization Levels for the requested authentication.</DIV>
<DIV> </DIV>
<DIV>This would solve the whole weak password thing, which is why I'm interested.</DIV>
<DIV>These articles use current, the widely used systems LDAP and Kerberos. These are great systems. But anyone could guess weak passwords anywhere on a network. With what I'm talking about, yes the passwords could be guessed, but the private key would have to be present to be guessed against. The private key could be protected physically like a set of car keys. The Authentication process would only happen once the unlocked (and hopefully un-stolen) private key matches the public key held in a central/managed location.</DIV>
<DIV> </DIV>
<DIV>Thanks,</DIV>
<DIV> </DIV>
<DIV>-Rob</DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">-------------- Original message -------------- <BR>From: Vance Kochenderfer <vkochend@nyx.net> <BR><BR>> "Rob Jeffries" <RL_JEFFRIES@COMCAST.NET>wrote: <BR>> > Will you answer my post? <BR>> > http://www.wplug.org/pipermail/wplug/2006-January/027494.html <BR>> <BR>> I honestly don't understand the subject well enough to know if this <BR>> is helpful to you, but Linux Journal has been running a series of <BR>> articles titled "Single Sign-On and the Corporate Directory." <BR>> <BR>> Part 1: <HTTP: 8374 article www.linuxjournal.com><BR>> Part 2: <HTTP: article www.linuxjournal.com 8375><BR>> Part 3: <HTTP: article www.linuxjournal.com 8376><BR>> <BR>> Parts 2 and 3 are for subscribers only (at least, for now) but I <BR>> can bring all three issues to the GUM if need be. <BR>> <BR>> Vance Kochenderfer | "Get me out of these ropes and into a <BR>> vkochend@nyx.net | good belt of Scotch" -Nick Danger <BR>> _______________________________________________ <BR>> wplug mailing list <BR>> wplug@wplug.org <BR>> http://www.wplug.org/mailman/listinfo/wplug </BLOCKQUOTE></body></html>