Hi,

I am looking for ways to get the MAC address (that is the unique ID of an ethernet card) as an additional way of authenticating an user.

This would be used with the default password scheme (username is no longer needed because of it).

I understand it would not work for everyone, but I feel it could be a nice add-on to current security.


My question is... How can you reliably get the MAC address of a remote user through GNU/Linux systems?

1) as far as I know you can only get the MAC address if you're on the same LAN. You'd use ARP to get it.

2) Anyone with a dialup account wouldn't have a MAC address.

1) Do you have any suggestion to use a unique ID per computer? Something that cannot be faked by software only.

2) I know that, but if you add this feature for those with a DSL or cable-modem, you insure that any attacker must also compromise an administrator's computer to get in, 1 more step makes it harder.¸

I wish to stay away from token card and the like becuase they are costly to put in and not much appreciated by users in general.

Originally posted by Félix C.Courtemanche
1) Do you have any suggestion to use a unique ID per computer? Something that cannot be faked by software only.

2) I know that, but if you add this feature for those with a DSL or cable-modem, you insure that any attacker must also compromise an administrator's computer to get in, 1 more step makes it harder.¸

I wish to stay away from token card and the like becuase they are costly to put in and not much appreciated by users in general.

No matter how much we don't want to hear it, besides IP spoofing, ARP spoofing does exist. However, IF you have individual users who you can get a MAC address from at least once, you can always statically arp them.

The MAC address is not part of the HTTP specification, so you would have to either be able to look at the actual IP packet, or reverse query the machine and get it to answer your request.

I suppose you could do this in a Java applet assuming you could get the user to download and run it. Never tried it and have not looked at the feasibility, but what you are asking in not capable using HTTP alone.

-t