[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: 2.0 Feature Freeze Discussion

  • Subject: Re: [Openvpn-users] Re: 2.0 Feature Freeze Discussion
  • From: George Ross <gdmr@xxxxxxxxxxxx>
  • Date: Fri, 03 Dec 2004 15:10:35 +0000

> > How is running two daemons any different from setting a configuration-file 
> > option in this respect?  Both accept exactly the same types of connections,
> > just in slightly different ways.
> If you were running two daemons, you could (should) implement it such that
> users with certificates could *only* connect to the certificate-requiring
> daemon, whereas users with usernames and passwords only could only connect
> to the user/pass daemon. That way you don't have someone breaking into a
> certificate-only user's account by guessing their username and password.

Like I said, different sites have different requirements.  I haven't 
bothered filling in all our details, because I don't think they're relevant 
to this list.  All I'm suggesting is that it would be nice to have the 
option there to allow the server to accept either certificates or username 
+ password.  You don't have to use it if you don't want to; and I can work 
around it if I have to, though it would be less convenient for me and for 
our users.

To answer your specific point, in our case the certificate will have been
obtained by presenting the same username and password to our KDC, and the
resulting ticket then used to obtain the certificate from our kx509 server.
Or they could go to our authentication portal and get the certificate from
there.  If they present the username and password directly to the OpenVPN
server then it will just go and ask the KDC itself.  Which method they use
will depend, amongst other things, on what the ISP they happen to be
attached to at the time will let through.  Ultimately, it's the same
username and password, and could be guessed either way.

One of OpenVPN's great virtues is that it's flexible.  I'm not forced to do 
things your way, and you're not forced to do things my way.  You have your 
reasons, which may not suit us, and we have our reasons, which may not suit 
you.  That's fine.
Dr George D M Ross, School of Informatics, University of Edinburgh
    Kings Buildings, Mayfield Road, Edinburgh, Scotland, EH9 3JZ
Mail: gdmr@xxxxxxxxxxxx   Voice: +44 131 650 5147   Fax: +44 131 667 7209
 PGP: 1024D/AD758CC5  B91E D430 1E0D 5883 EF6A  426C B676 5C2B AD75 8CC5

Attachment: pgpvkSxCyPPpR.pgp
Description: PGP signature