|
|
On 2/3/06, Alon Bar-Lev <alon.barlev@xxxxxxxxx> wrote: > Why do you mix username and certificate? If you give a > different certificate for each user it should be sufficient. Two-factor authentication. The private key is something the user *has*. A password is something the user *knows*. By asking for both, compromise of either one is not sufficient to compromise the VPN link. Now, one could encrypt and protect the private key with a password, and achieve much the same thing. It can be argued, though, that doing the password check on the server is more secure, as compromised client software cannot bypass a server-side check. How realistic that threat is, I'm not sure. There may also be administrative benefits by authenticating the user name against a server-side system. For example, accounting (tracking who uses the VPN when) or group membership access control. -- Ben ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-02/msg00046.html on line 198 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-02/msg00046.html on line 198 |