I'm about to setup an OpenVPN solution where ease of management weight
higher than maximum security, so I'm thinking about writing a simple
script that allows me to have a simple textfile file
with USERNAME <SPACE> PASSWORD on each row and use this for
username/password based authentication in OpenVPN.
That will allow very easy adding and removing of users, and the username/password can easily be read to users over phone. I can also create a customized Windows installation package containg the config file as well as the CA certificate. Then it's no need to distribute anything, and nothing more to configure on the client. Install, get username/psw over phone and you're ready to rock n' roll!
However password based authentication is usually dismissed as NOT SECURE! I just wonder how week it really is?
What are the accual threats, and how would you go about to break it?
With normal cryptography where you have access to both the chipertext and plaintext you can easily do an off-line brute-force attack, but as I have understood it, with a properly designed password authentication protocol, it is not possible to sniff the traffic and do an off-line brute-force attack on this data, is this correct?
If that is true I trust OpenVPN is designed that way to!
The other obvious way to attack it is to do an on-line brute-force attack. How does OpenVPN protect against this? I couldn't find any options to restrict how many authentication attempts to allow within a given time, or a way to lock an account after to many attempts (perhaps for given time period) -- or is this completly up to the --auth-user-pass-verify script to handle?
If it's impossible to do off-line brute-force attacks, and on-line attacks is restricted properly by not allowing indefinite attempts in short time, what is it that make password based authentication so week?
Looking forward to an interesting discussion ;-)
____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users