[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Username/Password authentication strengh


  • Subject: Re: [Openvpn-users] Username/Password authentication strengh
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Wed, 29 Dec 2004 00:17:17 +0100 (CET)

On Tue, 28 Dec 2004, Leonard Isham wrote:

On Tue, 28 Dec 2004 23:13:45 +0100 (CET), Mathias Sundman
<mathias@xxxxxxxxxx> wrote:
I'm about to setup an OpenVPN solution where ease of management weight
higher than maximum security, so I'm thinking about writing a simple
script that allows me to have a simple textfile file
with USERNAME <SPACE> PASSWORD on each row and use this for
username/password based authentication in OpenVPN.

First big hole. Passwords are stored cleartext and easily readable with username and password easily paired.

That will allow very easy adding and removing of users, and the
username/password can easily be read to users over phone. I can also
create a customized Windows installation package containg the config file
as well as the CA certificate. Then it's no need to distribute anything,
and nothing more to configure on the client. Install, get username/psw
over phone and you're ready to rock n' roll!

Second hole. Tech support has access to the file. Now they can become anyone they want. Who is creating passwords? If it is too easy for the user the passwords are susceptible to a dictionary attack. If it is too difficult then they will write it down so they don't forget it.

How are add/change/delete requests handled?

What about password aging and changes?

I'm well aware of all these problems and I fully agree with you. I'd never use password based authentication for a real road-warrior VPN installation.


However password based authentication is usually dismissed as NOT SECURE!
I just wonder how week it really is?

What are the accual threats, and how would you go about to break it?

- Dictionary attack - Social engineering (both technical support and the end user) - Shoulder surfing - Reading the postit note on the laptop - Get a job as tech support (anyone could walk away with it)

Also good reasons why not using it in real VPN installations, however let me explain the what kind of use I was planning.


A customer of mine provide backup services and restore tests. After a backup has been restored to a backup server the end-customer who had created the backup need to connect to server to verify it has been restored properly. In past this has been done by sending out an ISDN router, but now we live in the VPN age, so I'm setting up an OpenVPN solution instead.

I've installed a dedicated linux/openvpn firewall for this. The technicians that will have access the firewall is only a handfull and they all have physical access to both the firewall and the backup server it is protecting.

When a backup server is ready to be verified by the customer a username/password is added to the auth file. This is the only single account that will be there. After the restore has been verified, usually after a day or two, the username/password is removed again.

In this kind of setup none of the threats you mention concerns me. I was previously under the impression that all username/password based auth protocols were suspectible to offline dictionary/brute force attacs, but after reading up on this I've learned that this is no longer the case as the psw-auth is protected by DH (which in turn is protected by the servers RSA cert).

So, let me reformulate my question -- Is there any protocol issues with OpenVPNs username/password auth that makes it weaker than two-way RSA auth?

/Mathias

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users