[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Username/Password authentication strengh

  • Subject: Re: [Openvpn-users] Username/Password authentication strengh
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Tue, 28 Dec 2004 17:47:15 -0500

On Tue, 28 Dec 2004 23:13:45 +0100 (CET), Mathias Sundman
<mathias@xxxxxxxxxx> wrote:
> I'm about to setup an OpenVPN solution where ease of management weight
> higher than maximum security, so I'm thinking about writing a simple
> script that allows me to have a simple textfile file
> with USERNAME <SPACE> PASSWORD on each row and use this for
> username/password based authentication in OpenVPN.

First big hole.  Passwords are stored cleartext and easily readable
with username and password easily paired.

> That will allow very easy adding and removing of users, and the
> username/password can easily be read to users over phone. I can also
> create a customized Windows installation package containg the config file
> as well as the CA certificate. Then it's no need to distribute anything,
> and nothing more to configure on the client. Install, get username/psw
> over phone and you're ready to rock n' roll!

Second hole.  Tech support has access to the file.  Now they can
become anyone they want.  Who is creating passwords?  If it is too
easy for the user the passwords are susceptible to a dictionary
attack.  If it is too difficult then they will write it down so they
don't forget it.

How are add/change/delete requests handled?

What about password aging and changes?

> However password based authentication is usually dismissed as NOT SECURE!
> I just wonder how week it really is?
> What are the accual threats, and how would you go about to break it?

- Dictionary attack
- Social engineering (both technical support and the end user)
- Shoulder surfing
- Reading the postit note on the laptop
- Get a job as tech support (anyone could walk away with it)

> With normal cryptography where you have access to both the chipertext and
> plaintext you can easily do an off-line brute-force attack, but as I have
> understood it, with a properly designed password authentication protocol,
> it is not possible to sniff the traffic and do an off-line brute-force
> attack on this data, is this correct?
> If that is true I trust OpenVPN is designed that way to!
> The other obvious way to attack it is to do an on-line brute-force attack.
> How does OpenVPN protect against this? I couldn't find any options to
> restrict how many authentication attempts to allow within a given time, or
> a way to lock an account after to many attempts (perhaps for given time
> period) -- or is this completly up to the --auth-user-pass-verify script
> to handle?
> If it's impossible to do off-line brute-force attacks, and on-line attacks
> is restricted properly by not allowing indefinite attempts in short time,
> what is it that make password based authentication so week?
> Looking forward to an interesting discussion ;-)

Intruder: "Now I 0wn a connection to your network.  I can leisurely
probe the network and find the, next, weakest link.  What is it... a
vulnerable service/daemon... snmp improperly configured... weak root
or administrator password... We will see "Root is a state of mind."
and I will 0wn your network [evil chuckling]..."

I love the playing the devil's advocate. :-D

Leonard Isham, CISSP 
Ostendo non ostento.

Openvpn-users mailing list