[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: 2.0 Feature Freeze Discussion

  • Subject: [Openvpn-users] Re: 2.0 Feature Freeze Discussion
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Fri, 03 Dec 2004 08:42:15 -0600

On Fri, 03 Dec 2004 14:32:41 +0000, George Ross wrote:

> How is running two daemons any different from setting a configuration-file 
> option in this respect?  Both accept exactly the same types of connections,
> just in slightly different ways.

If you were running two daemons, you could (should) implement it such that
users with certificates could *only* connect to the certificate-requiring
daemon, whereas users with usernames and passwords only could only connect
to the user/pass daemon. That way you don't have someone breaking into a
certificate-only user's account by guessing their username and password.

It's still bad policy, but it's not *as* bad as allowing user/pass
authentication to substitute for certificate authentication for users who
have certificates.

Of course, being able to use a script hook/plugin/whatever to implement
this kind of policy in a single daemon (presuming you really wanted it)
might be useful.

Openvpn-users mailing list