Pol Hallen wrote:
> Hi all :-)
> I read official howto "RSA Key Management" (http://openvpn.net/easyrsa.html)
> but I find only how build a certificate with (only) password.
> I'd like an authentication from any clients with username and password.
> Can somebody tell me how I'll do?
First you need to understand how the password works when used with RSA
private keys. When used with certificates, all VPN clients need a
private key and public certificate to establish the connection. The
private key is usually encrypted with a password that the user knows,
which insures theft of the private key won't compromise security. There
is no concept of a username because authentication for VPN access is
based solely on access to the decrypted private key combined with a
To require connecting clients to supply a username/password combination
you should use the --auth-user-pass-verify option in the server's config
file. This will execute a script that will be passed the username and
password supplied by the connecting client and decide if the connection
is authorized or not. How you authenticate is entirely up to the
script, so you could do something as simple as checking against a
plaintext file of username/password combinations, or as complex as
querying a database. I believe the source OpenVPN distribution comes
with an example perl script that authenticates against a PAM implementation.
Keep in mind that the --auth-user-pass-verify option will only handle
authentication. For encryption you will still need to use a
key/certificate pair or static key.
Description: OpenPGP digital signature