On Thu, 13 Jan 2005 14:55:00 +0100, Didier Conchaudron <did...@conchaudron.net> wrote: > Hi all, > > I'm still working on a renewed openvpn service wrapper( which's heading > to allow a non-admin user to start/stop pre-defined tunnels via a tcp > socket) and I see some big troubles in a near future. > > The *great* actual cryptoapi patch allow a user to access local machine > and local user certs. It's quite good right now because most of the > openvpn users are using it with admin rights or non-interactive > processing( like autostart at windows boot). > > I'm worrying about those features when our aim will be to do let > non-admin users start their tunnel and authenticate themselves on the > openvpn server with their own certificate. In the actual openvpn it's > not possible, because the SYSTEM account can only access to his own > certs and the local machine certs, but not "Foo Bar User" certs. > > We can ask ourselves few questions: > > - is it possible to make SYSTEM access user certs? > - if not, how can we make openvpn access to those users data? > > A friend of mine said an answer could be to let the GUI(or a user only > component) manage the access to such user-related data, and let openvpn > deal with this component in order to use the certs. > > Of course, this problem is only windows-related. > > What do you think of this problem? >
Defense in depth. The user should not have the ability to logon to a machine with OpenVPN installed if they are not allowed to use OpenVPN, or that user should not have access to run the GUI (maybe the OpenVPN Service should not even be running). The certificate is authenticating the computer. -- Leonard Isham, CISSP Ostendo non ostento.
