On Tue, 28 Dec 2004, Leonard Isham wrote:
On Tue, 28 Dec 2004 23:13:45 +0100 (CET), Mathias Sundman <mathias@xxxxxxxxxx> wrote:I'm about to setup an OpenVPN solution where ease of management weight higher than maximum security, so I'm thinking about writing a simple script that allows me to have a simple textfile file with USERNAME <SPACE> PASSWORD on each row and use this for username/password based authentication in OpenVPN.
I'm well aware of all these problems and I fully agree with you. I'd never use password based authentication for a real road-warrior VPN installation.
However password based authentication is usually dismissed as NOT SECURE! I just wonder how week it really is?
Also good reasons why not using it in real VPN installations, however let me explain the what kind of use I was planning.
A customer of mine provide backup services and restore tests. After a backup has been restored to a backup server the end-customer who had created the backup need to connect to server to verify it has been restored properly. In past this has been done by sending out an ISDN router, but now we live in the VPN age, so I'm setting up an OpenVPN solution instead.
I've installed a dedicated linux/openvpn firewall for this. The technicians that will have access the firewall is only a handfull and they all have physical access to both the firewall and the backup server it is protecting.
When a backup server is ready to be verified by the customer a username/password is added to the auth file. This is the only single account that will be there. After the restore has been verified, usually after a day or two, the username/password is removed again.
In this kind of setup none of the threats you mention concerns me. I was previously under the impression that all username/password based auth protocols were suspectible to offline dictionary/brute force attacs, but after reading up on this I've learned that this is no longer the case as the psw-auth is protected by DH (which in turn is protected by the servers RSA cert).
So, let me reformulate my question -- Is there any protocol issues with OpenVPNs username/password auth that makes it weaker than two-way RSA auth?
____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users