Re: [Openvpn-users] Certificate common name & auth-user-pass-verify

[Alon Bar-Lev <alon.barlev@xxxxxxxxx>]

Ben Scott wrote:
> On 2/3/06, Alon Bar-Lev <alon.barlev@xxxxxxxxx> wrote:
> > Why do you mix username and certificate? If you give a
> > different certificate for each user it should be sufficient.
>
>   Two-factor authentication.  The private key is something the user
> *has*.  A password is something the user *knows*.  By asking for both,
> compromise of either one is not sufficient to compromise the VPN link.
>
>   Now, one could encrypt and protect the private key with a password,
> and achieve much the same thing.  It can be argued, though, that doing
> the password check on the server is more secure, as compromised client
> software cannot bypass a server-side check.  How realistic that threat
> is, I'm not sure.

Well... I disagree.

Using private key encrypted with password is stronger than 
supplying the password to a server, without protecting the 
private key.

I can extent this a little and say that a password to access 
a private key on a smartcard is the best approach.

Presenting shared secret information to the server weak! But 
it is more simple to understand (intuitive), so people 
select this approach to be on the safe side (psychological).

>   There may also be administrative benefits by authenticating the user
> name against a server-side system.  For example, accounting (tracking
> who uses the VPN when) or group membership access control.

Again, I disagree.
By authenticating the user based on his certificate you 
loose no information!
From the certificate server side knows which user is on the 
other side... Based on this information all account 
mechanism works.

But at the end... All a matter of choice.

Best Regards,
Alon Bar-Lev


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users