[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Build the certificates with username/password

  • Subject: Re: [Openvpn-users] Build the certificates with username/password
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Thu, 22 Nov 2007 23:57:13 -0600
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID494LkwF6u0139X40

Pol Hallen wrote:
> Hi all :-)
> I read official howto "RSA Key Management" (http://openvpn.net/easyrsa.html) 
> but I find only how build a certificate with (only) password.
> I'd like an authentication from any clients with username and password.
> Can somebody tell me how I'll do?

First you need to understand how the password works when used with RSA
private keys.  When used with certificates, all VPN clients need a
private key and public certificate to establish the connection.  The
private key is usually encrypted with a password that the user knows,
which insures theft of the private key won't compromise security.  There
is no concept of a username because authentication for VPN access is
based solely on access to the decrypted private key combined with a
valid certificate.

To require connecting clients to supply a username/password combination
you should use the --auth-user-pass-verify option in the server's config
file.  This will execute a script that will be passed the username and
password supplied by the connecting client and decide if the connection
is authorized or not.  How you authenticate is entirely up to the
script, so you could do something as simple as checking against a
plaintext file of username/password combinations, or as complex as
querying a database.  I believe the source OpenVPN distribution comes
with an example perl script that authenticates against a PAM implementation.

Keep in mind that the --auth-user-pass-verify option will only handle
authentication.  For encryption you will still need to use a
key/certificate pair or static key.


Attachment: signature.asc
Description: OpenPGP digital signature