|
|
Nuno Marques wrote:
I understand your point but using this aproach (certificate + user/pass) has some advantages: As I recommended, you can do that via LDAP query based on the DN of the user certificate. If a user exist accept his session. You don't need the user password for this verification. - Even if the certificate is stolen, the thief will only connect if he knows the Active Directory password
I recommend you explore smartcard support of OpenVPN. Smartcards have the benefit of locking themselves if someone tries to guess their password. If you interested in protecting your network - use smartcards. - Our AD makes users change passwd every 6 months, since the certificates don't have password, a user that changes the password on AD can connect without having to change certificates Guessing a password, even if it is changed every one month (My recommendation), is a lot simpler than guessing RSA private key. Providing the users with 2048 bit RSA key, is better than forcing them to change a password once a day. - And more important, most our users are not used to certificates, but are familiar with using AD, this way they don't even know they are using certificates Can I understand that YOU *DON'T ENCRYPT* user private key? And you *ARE* concerned about security... So you waken the stronger mechanism and try to compensate in trying to strengthen the weaker mechanism... Well... Good luck. Best Regards, Alon Bar-Lev. ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |