|
|
In <e61ldr$iab$2@xxxxxxxxxxxxx>, Charles Duffy <cduffy@xxxxxxxxxxx> typed: > Chuck Bunn wrote: > > As a secondary layer of protection and as a precaution against someone > > accessing a VPN through a stolen laptop (yes I know I can revoke a > > certificate but what happens if the user does not report the theft > > immediately) - how do I set OpenVPN to ask for a password before > > connecting with the certificate. I tried 'build-key-pass' during key > > generation and this did not work (I assume that it will ask for a > > password before the key can be opened for viewing). I am thinking of > > something along the lines of a preshared key??? > To have the server require that the client provide a username/password > pair, see the auth-user-pass directive. Passwords used to encrypt a key, > which supported, are less valuable from a security perspective because > the user can change them; having a separate username/password pair which > is authenticated on the server side (rather than used to decrypt a key > on the client side) is preferable. The problem with this is that OpenVPN UIs - like TunnelBlick on the Mac - will store the username/password pair for the user, so the connection can happen automatically. In theory, that's protected via the OSX keychain mechanism, but that's only as good as the security the user has on the Mac. If the Mac is configured to allow an attacker to get a session without having to authenticate, then this does you no good at all. The bottom line is that you should audit any OpenVPN GUI tools you're going to use, as well as the users laptop security configuration when you install OpenVPN. <mike -- Mike Meyer <mwm@xxxxxxxxx> http://www.mired.org/consulting.html Independent Network/Unix/Perforce consultant, email for more information. _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |