[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: "--askpass file" is evil!


  • Subject: Re: [Openvpn-users] Re: "--askpass file" is evil!
  • From: Ray Lee <ray-openvpn@xxxxxxxxxxxxx>
  • Date: Fri, 14 Jan 2005 17:11:33 -0800

On Sat, 2005-01-15 at 00:59 +0100, Mathias Sundman wrote:
> If you setup a CA you can centrally revoke a certificate for a particual 
> box. You do not have to issue new certs for each box.
> 
> I can understand that username/password auth can be useful if you want to 
> authenticate against an already existing user database, but like I said, 
> you still have the option of using non-encrypted private keys/certificates 
> to solve the other problems you mention.

Okay. That makes sense. I've been trying to avoid going the client
certificate route, as that's more tedious to integrate into our existing
setup, but it's certainly possible.

Well, to be honest, I was also avoiding it as it's Yet Another New Thing
I have to learn. Not that there's anything wrong with that, but I'm
fumbling around a bit blind (as you can see, I'm sure), and each thing I
add into the system that I'm not completely clear on is another thing I
might screw up in a way that makes the system overall less secure.

> You probably missed what I described above.

<Nod> Yup.

> Now, if you still want to use username/password auth, I can see your 
> problem. You might be able to make a script that runs openvpn and passes 
> the username and password to stdin when openvpn asks for it.

I toyed with driving openvpn via expect, but that would require more
fiddling with the default install than merely recompiling Debian's
package and distributing that instead. I've gone ahead and done the
reconfigure and repackaging so I can move forward for my hard deadline
of Monday, but after that I'll revisit the certificate route.

Thanks for your help, you've made things much clearer.

Ray



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users