> > How is running two daemons any different from setting a configuration-file
> > option in this respect? Both accept exactly the same types of connections,
> > just in slightly different ways.
> If you were running two daemons, you could (should) implement it such that
> users with certificates could *only* connect to the certificate-requiring
> daemon, whereas users with usernames and passwords only could only connect
> to the user/pass daemon. That way you don't have someone breaking into a
> certificate-only user's account by guessing their username and password.
Like I said, different sites have different requirements. I haven't
bothered filling in all our details, because I don't think they're relevant
to this list. All I'm suggesting is that it would be nice to have the
option there to allow the server to accept either certificates or username
+ password. You don't have to use it if you don't want to; and I can work
around it if I have to, though it would be less convenient for me and for
To answer your specific point, in our case the certificate will have been
obtained by presenting the same username and password to our KDC, and the
resulting ticket then used to obtain the certificate from our kx509 server.
Or they could go to our authentication portal and get the certificate from
there. If they present the username and password directly to the OpenVPN
server then it will just go and ask the KDC itself. Which method they use
will depend, amongst other things, on what the ISP they happen to be
attached to at the time will let through. Ultimately, it's the same
username and password, and could be guessed either way.
One of OpenVPN's great virtues is that it's flexible. I'm not forced to do
things your way, and you're not forced to do things my way. You have your
reasons, which may not suit us, and we have our reasons, which may not suit
you. That's fine.
Dr George D M Ross, School of Informatics, University of Edinburgh
Kings Buildings, Mayfield Road, Edinburgh, Scotland, EH9 3JZ
Mail: gdmr@xxxxxxxxxxxx Voice: +44 131 650 5147 Fax: +44 131 667 7209
PGP: 1024D/AD758CC5 B91E D430 1E0D 5883 EF6A 426C B676 5C2B AD75 8CC5
Description: PGP signature