[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [olpc-software] Authentication, authorization, personalization/imprinting



On Wed, Mar 29, 2006 at 11:49:26AM +0100, Mike Hearn wrote:
> David Malcolm wrote:
> >My guess here is that all that's really doable is one of (i) do you have
> >physical access to the machine?
> 
> Authentication is being used to do three things currently:
> 
> * Separate multiple user accounts - but not applicable here, unless
>   perhaps the family wish to use the childs laptop and treat it as
>   a family laptop.

Well, gdm has an "autologin" option.  I'd expect OLPC to ship with the
equivalent of autologin enabled by default.  However, sophisticated
users might like to turn it off for the more traditional multi-user
experience.

> * Prevent unauthorized access to data from people physically in front of
>   the machine. Realistically, is the headache of lost passwords worth
>   it?

No.

> * Establish a trusted path to the user ... that's what needing root to
>   reconfigure networks/date/software is about, really.
> 
> If the first two aren't really applicable then that leaves the third, 
> which can be better done in other ways, for instance using a combination 
> of SELinux (but used differently to how it's used in Fedora Core) and 
> the fact that the X server will tell you which events are synthetic. 
> Such a scheme can make the system both more secure and easier to use (by 
> eliminating password prompts).
> 
> But that's pretty new/experimental stuff as well, and there is probably 
> a limit to how much of that is a good idea for the first generation 
> product. So, being traditional here and prompting for the users password 
> Ubuntu-style might be better.

The other idea (which I'm surprised that nobody else has brought up yet)
is to authorize dangerous changes to the system using public key
cryptography.  So all the laptops might be loaded with the equivalent of
/root/.ssh/authorized_keys which contains a global key, country key,
state key, city key, teacher keys, etc.

I haven't really thought this through, just putting the idea out.

-- 
Make April 15 just another day, visit http://fairtax.org

Attachment: signature.asc
Description: Digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]