> Personally, I like combining passwords and tokens (the old "what I have and > what I know" combo). I've been using password-based IMAP transported over > certificate-based OpenVPN, which does the trick for me. > > I readily acknowledge that my solution isn't really what you're hoping to > use. Still, it's flexible enough so that all sorts of services that > traditionally rely on passwords (SMTP AUTH, web services, plus IMAP) can be > wrapped in a certificate-authenticated connection.
I made this same decision about authenticated IMAP. I run OpenVPN on my laptop and it works fine. It is usually quite good about recovering when network connectivity comes and goes. If you're already using OpenVPN for other things, it is a logical choice to skip using certificates with each individual service. The trouble I ran into, though, was with OpenVPN on my Android. I can't get it working at all, and I've spent countless hours trying to debug it (with root access on my phone, sniffing at both ends, etc). The OpenVPN client connects, successfully authenticates, and then nothing happens. No packets at all are transmitted over the established connection. It is super frustrating, and no OpenVPN folks stepped up to help me figure it out. I'm just hoping with the next Android phone it will magically work... Ok, enough venting. > It has the further benefit that you only need to contact one remote port, > reducing the chance that a local firewall will become an obstacle to your > session. Yup. You can run OpenVPN on unusual ports (e.g. 53/UDP) that are often allowed outbound without filtering. In addition, if you use the tls-auth option with a UDP port, attackers can't even tell the OpenVPN service is running on you rserver unless they know the pre-auth symmetric key. (This is kinda like a group password checked on the very first packet before certificate authentication is performed.) tim _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug