|
|
On Wed, 04 Apr 2007 23:37:25 +0400, Steve Finkelstein <sf@xxxxxxxxxxxxx> wrote: > ...I don't necessarily feel it's a great idea to give them certificate > based auth cause they can just toss the certificate on any box and be > able to open a VPN tunnel into the internal network... The OpenVPN v2.1.x is PKCS#11-aware, you could give them their certificates stored on a hardware token. (In case of the Aladdin's USB eToken PRO it is possible to lock a token with PIN code and protect an RSA key in it with a passphraze) Since it is imposible to "toss" a token without loosing the VPN access, I think they will care about not parting with it. -- Tony. ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |