[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Username/Password authentication strengh


  • Subject: Re: [Openvpn-users] Username/Password authentication strengh
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Tue, 28 Dec 2004 21:58:50 -0500

[snip]
> Also good reasons why not using it in real VPN installations, however let
> me explain the what kind of use I was planning.
> 
> A customer of mine provide backup services and restore tests. After a
> backup has been restored to a backup server the end-customer who had
> created the backup need to connect to server to verify it has been
> restored properly. In past this has been done by sending out an ISDN
> router, but now we live in the VPN age, so I'm setting up an OpenVPN
> solution instead.
> 
> I've installed a dedicated linux/openvpn firewall for this. The
> technicians that will have access the firewall is only a handfull and they
> all have physical access to both the firewall and the backup server it is
> protecting.
> 
> When a backup server is ready to be verified by the customer a
> username/password is added to the auth file. This is the only single
> account that will be there. After the restore has been verified, usually
> after a day or two, the username/password is removed again.
> 
> In this kind of setup none of the threats you mention concerns me. I was
> previously under the impression that all username/password based auth
> protocols were suspectible to offline dictionary/brute force attacs, but
> after reading up on this I've learned that this is no longer the case as
> the psw-auth is protected by DH (which in turn is protected by the
> servers RSA cert).
> 
> So, let me reformulate my question -- Is there any protocol issues with
> OpenVPNs username/password auth that makes it weaker than two-way RSA
> auth?

Please forgive me in advance, as I may be beating a dead horse.  Have
you considered giving them a cert that expires in say 7 days.  Once
they confirm things you can revoke the cert, if it is less than the  7
days?

More secure and automatically revokes access in 7 days.


-- 
Leonard Isham, CISSP
Ostendo non ostento.

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users