Hi, On Sun, Feb 04, 2024 at 02:17:35PM +0100, Bo Berglund wrote: > 2) But if you have actually taken the advice then making a user unable to > connect is very simple to manage by NOT revoking any key: > Just create a file with the Common Name of tyhat user in the ssd directory on > the server and write the single word "disable" into that file.
This is actually doing something subtly different.
- revoking the key means "this key will no longer work, another key with
the same CN (and/or same username/password) *will* work"
- blocking by CCD/disable means "this common name will no longer work, no
matter which key is used".
The first one would be appropriate in case a device with a key on it is
lost / stolen - block this key, do not block anything else this user might
have. The second case is "get rid of all this user might have had issued
to his name".
> So my take is: DO NOT USE revoking of keys to lock out users!
Use the right solution for the right purpose :-)
(One of my customers locks out users by means of an LDAP check in
client-connect... so if AD has the "this account is disabled!" bit
set, client-connect will fail, disallowing connect... but to make
this work well, async/deferred CC needs to be used, which is a bit
more complex to set up)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
