[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Username/Password authentication strengh

  • Subject: [Openvpn-users] Username/Password authentication strengh
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Tue, 28 Dec 2004 23:13:45 +0100 (CET)

I'm about to setup an OpenVPN solution where ease of management weight higher than maximum security, so I'm thinking about writing a simple script that allows me to have a simple textfile file with USERNAME <SPACE> PASSWORD on each row and use this for username/password based authentication in OpenVPN.

That will allow very easy adding and removing of users, and the username/password can easily be read to users over phone. I can also create a customized Windows installation package containg the config file as well as the CA certificate. Then it's no need to distribute anything, and nothing more to configure on the client. Install, get username/psw over phone and you're ready to rock n' roll!

However password based authentication is usually dismissed as NOT SECURE! I just wonder how week it really is?

What are the accual threats, and how would you go about to break it?

With normal cryptography where you have access to both the chipertext and plaintext you can easily do an off-line brute-force attack, but as I have understood it, with a properly designed password authentication protocol, it is not possible to sniff the traffic and do an off-line brute-force attack on this data, is this correct?

If that is true I trust OpenVPN is designed that way to!

The other obvious way to attack it is to do an on-line brute-force attack. How does OpenVPN protect against this? I couldn't find any options to restrict how many authentication attempts to allow within a given time, or a way to lock an account after to many attempts (perhaps for given time period) -- or is this completly up to the --auth-user-pass-verify script to handle?

If it's impossible to do off-line brute-force attacks, and on-line attacks is restricted properly by not allowing indefinite attempts in short time, what is it that make password based authentication so week?

Looking forward to an interesting discussion ;-)

-- _____________________________________________________________ Mathias Sundman (^) ASCII Ribbon Campaign OpenVPN GUI for Windows X NO HTML/RTF in e-mail http://www.nilings.se/openvpn / \ NO Word docs in e-mail

Openvpn-users mailing list