computer authentication

Solution 1:

You might be in the market for a hardware token-based solution like the Yubikey. So, now they can still clone away but they will still have only one yubikey and therefore only one functional computer.

The cost is reasonable (I think):

  • 1 at US$25 each
  • 10 at US$20 each
  • 100 at US$15 each

But for a software only solution ... why not load the computer with an SSH certificate and only allow one login per certificate. It will not prevent cloning but the effect is the same.

You might want to add a check on the cpuid so that if a certificate is used to authenticate a client from several different clients you reduce the lifetime of the cert, or do some other annoying thing. Note that the cpu id is not very trustworthy but it does raise the bar a little for the cloner.

Solution 2:

The easiest method - but also a method that can be easily tricked would be to check the MAC Adress of the network card.

You can't rely on any key or method that relys on any key that is generated-once, but than just get's used. You need to rely on a intermediate hardware token or on a token that get's stored in Hardware.

The later can be achieved by using TPM. You might want to investigate in this topic.

Edit

In short TPM let's you store tokens on a hardware based storage. This will effectively prevent cloning of your machines.

You might even go that far and encrypt the harddrive based on a TPM based key.