[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Authentication solution

  • Subject: Re: [Openvpn-users] Authentication solution
  • From: Tony <kb2wjw@xxxxxxxxx>
  • Date: Thu, 05 Apr 2007 03:46:04 +0400

On Wed, 04 Apr 2007 23:37:25 +0400, Steve Finkelstein <sf@xxxxxxxxxxxxx>  

> ...I don't necessarily feel it's a great idea to give them certificate  
> based auth cause they can just toss the certificate on any box and be  
> able to open a VPN tunnel into the internal network...
The OpenVPN v2.1.x is PKCS#11-aware, you could give them their  
certificates stored on a hardware token. (In case of the Aladdin's USB  
eToken PRO it is possible to lock a token with PIN code and protect an RSA  
key in it with a passphraze)
Since it is imposible to "toss" a token without loosing the VPN access, I  
think they will care about not parting with it.


OpenVPN mailing lists