|
|
On Thu, 20 Jan 2005, Gonda Laszlo wrote: > > > James Yonan wrote: > > > It's not a security hole because you shouldn't be able to actually forward > > any tunnel data over such a connection. > > > > In this case the TLS connection must be established, because otherwise the > > client would have no secure channel over which to transmit the > > username/password. Any actual tunnel packets will be filtered by the > > server until the client provides the correct username/password. > > > > If a client doesn't have --pull in it's config, the client would show > > the TLS connection being established but would be blocked from sending or > > receiving tunnel data from the server. The server will retain the client > > instance object until either the client provides a valid username/password > > or the client instance on the server times out due to --keepalive or > > --ping-exit. > > > > James > > Thank's, I understand it. On the client I see the connection established, but don't > send or receive any data > (exception username/password for authtentication). > > I have another question. > If I set --user and --group on the server username/password authentication always > fail (without these all ok) > I used auth-pam.pl script for authentication (from sample-script). Try using the auth-pam plugin (not the script). The plugin is more advanced than the script -- it uses a split privilege model so that the server can drop root privileges and still be able to do PAM authentication. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |