[luau] Linux POS/Cash Register Terminal Image

R. Scott Belford sctinc at flex.com
Tue May 28 13:32:00 PDT 2002 

On Monday, May 27, 2002, at 05:20 PM, Ray Strode wrote:

>> We were thinking about putting a unique DSA private key (without a
>> passphrase) onto each flash disk.  That would be the unique identifier 
>> for
>> each cash register, using DSA private/public authentication for the 
>> login
>> into an SSH account on the server.  This should work out great because 
>> it
>> would be nearly impossible to spoof, and cash registers cannot 
>> accidentally
>> log into the wrong SSH account.
> Okay I have some questions first about the setup.  How are cashier's
> logged in? This is a question concerning the server software.  Is it
> just a normal server and regular telnetd is running? If so we can just
> use ssh as a drop-in replacement.  Does it have it's own proprietary
> telnet server running? If so we are going to have to setup an ssh
> tunnel.

Because we are on a private WAN, we use standard telnet.  Counterpoint 
has its own authentication for each user.  We need a register OS capable 
of SSH or Telnetting to a standard telnet or ssh server running on the 
server.  The OS then has to handle the terminal sequences, emulations, 
and pass through printing.  Specific .bash_profile settings are made for 
each user to be sure they go where they are supposed to and stay there.  
Once they login via telnet, the login for Counterpoint is the first 
thing they see.

>
> Now questions about your purposal.  Is each ssh account tied to the
> register or cashier?  This is sort of related to paragraph above.  E.G.
> Is cashier authentication and authorization being handled by
> counterpoint or by the server running counterpoint?  If counterpoint
> doesn't handle cashier authentication on its own then we should probably
> associate a password with each key.  If we do assign a password to each
> key, I do /NOT/ think ssh-agent would be a good idea.
>
> So are we going to be running login on the registers?  I don't see the
> point, all though if counterpoint doesn't support cashier authentication
> then we should probably write a small frontend (curses) for ssh.

See above, I think.  Double authentication for each register: server 
authentication for the sss/telnet session and application authentication 
to get in to the Program.

>
>> For further control we could tie the SSH account and keypair to a 
>> static IP
>> address (also embedded in the flash disk).
> I only like that idea if the ssh accounts are tied to registers and not
> cashiers.  In other words, I don't think it would be too great if a
> cashier could only use one register on the whole system.

Excellent point.  Well observed.  I think that the ssh accounts would be 
tied to each register.

>
>> Perhaps we could also have the server enforce logins from that IP, 
>> account and
>> keypair only from a certain MAC address.
> MAC address spoofing is so trivial, I don't see any added security from
> doing this.

If it doesn't intrude on helping others at the installfest, I'll have 
the application on a server I'll bring.


scott

More information about the LUAU mailing list