Re: [Hampshire] OpenVPN + TrueCrypt
On Fri, Aug 14, 2009 at 07:42:07 +0100 (+0100), Stephen Nelson-Smith wrote: > Morning, > > I've just deployed an OpenVPN solution for a client, and am > considering enhancing the security by having the users keep their keys > on an encrypted USB stick. We use PAM authentication on top of openvpn which works well. What doesn't work so well is that openvpn+LDAP+TLS+PAM auth (yes, you need all four) leaks two file descriptors per connection which I never managed to track down (on Debian Etch). We also use the per client key/certs settings but as we can't control passwords on those keys, we can at least control the PAM passwords :) Adrian -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
Hi Jon, >> This sounds like the way to do it. Thanks for the hint. > > While that would solve the problem you've described, the whole solution > still smells of "doing it wrong". There are specialist USB devices out > there that are designed to hold secure certificates. You should really > be using one of those*. Aha! I shall investigate this avenue of research! Thanks! S. -- Stephen Nelson-Smith Technical Director Atalanta Systems Ltd www.atalanta-systems.com -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
On Fri, 14 Aug 2009 10:12:15 +0100 Stephen Nelson-Smith wrote: > > * udev (see /etc/udev/rules.d/*) to create your own device node > > (e.g. /dev/vpn-keys), identifying the device by device ID, UUID > > or filesystem label. > > This sounds like the way to do it. Thanks for the hint. While that would solve the problem you've described, the whole solution still smells of "doing it wrong". There are specialist USB devices out there that are designed to hold secure certificates. You should really be using one of those*. Cheers, /j * although to be fair, I have no idea if OpenVPN would support these devices. I certainly hope it would, though... -- Jon Fautley RHCE, RHCDS, RHCX, RHCA email: jfaut...@redhat.com Senior Consultantcell : +44 7841 558683 Global Professional Services Red Hat UK, 200 Fowler Avenue, Farnborough, Hampshire, GU14 7JP signature.asc Description: PGP signature -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
Hi Hugo, > * udev (see /etc/udev/rules.d/*) to create your own device node > (e.g. /dev/vpn-keys), identifying the device by device ID, UUID > or filesystem label. This sounds like the way to do it. Thanks for the hint. S. -- Stephen Nelson-Smith Technical Director Atalanta Systems Ltd www.atalanta-systems.com -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
On Fri, Aug 14, 2009 at 09:15:32AM +0100, Stephen Nelson-Smith wrote: > My question concerned where in the filesystem the keys would appear. > It may not aways be the same - using automatic mounting, the user may > get /media/disk1 one day and /media/disk2 another, if something else > was mounted at disk1. I don't want users to change their config file. > You may assume I know how to handle this manually. You may assume my > users don't. I'd like their exerience to be as simple as: 1) User > inserts USB stick 2) User enters password 3) User fires up vpn client. The solution to this is to use some definitive unique ID on the USB stick to get it to mount in the same place every time. The usual way of doing this is to ensure that the stick always has exactly the same device node name, and that you can then map that device to e.g. /media/vpn-keys in fstab. You can therefore use one of: * /dev/disk/by-uuid/... (for the filesystem UUID) * /dev/disk/by-label/... (for a manually-set label on the filesystem: do this if you want any key to be usable in any machine, and set the labels the same on all USB sticks) * udev (see /etc/udev/rules.d/*) to create your own device node (e.g. /dev/vpn-keys), identifying the device by device ID, UUID or filesystem label. Hugo. -- === Hugo Mills: h...@... carfax.org.uk | darksatanic.net | lug.org.uk === PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk --- Questions are a burden, and answers a prison for oneself. --- signature.asc Description: Digital signature -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
Hi, Like Keith, I'm a little confused as to what problem you're trying to solve by using the USB keys. The location of the various keys is set in whichever configuration file you're using for the client. You should find that in /etc/openvpn. If you can make a usb key always mount in the same place then you should be able to reference a key on it. You can make the keys openvpn uses require a passphrase. That way the keys are encrypted and not usable without the passphrase. If the key is presented to the server then server can be certain the user has the passphrase. The advantage of this approach is that if the user walks away and leaves an unlocked machine the key can be copied but the copy can't be used without the passphrase. With an encrypted stick the key can be copied and will automatically be decrypted so the copied key could be used by anyone. Cheers, Paul. --Original Message-- From: Keith Edmunds Sender: hampshire-boun...@mailman.lug.org.uk To: Hampshire LUG Mailing List ReplyTo: Hampshire LUG Mailing List Subject: Re: [Hampshire] OpenVPN + TrueCrypt Sent: 14 Aug 2009 07:46 On Fri, 14 Aug 2009 07:42:07 +0100, sanel...@gmail.com said: > I'm wondering how the > openvpn client knows where to find the keys? >From the configuration file (the "ca", "cert" and "key" lines). > am > considering enhancing the security by having the users keep their keys > on an encrypted USB stick. It's not clear to me what problem you are attempting to solve - could you elucidate? Keith -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk -- . Sent from my BlackBerry® wireless device -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
On Fri, Aug 14, 2009 at 7:46 AM, Keith Edmunds wrote: > On Fri, 14 Aug 2009 07:42:07 +0100, sanel...@gmail.com said: > >> I'm wondering how the >> openvpn client knows where to find the keys? > > From the configuration file (the "ca", "cert" and "key" lines). Obviously. I'd have struggled to have delivered a working VPN if I didn't know that! Sorry if I gave the impression that I didn't understand this - I plead lack of sleep and early-morning bleariness. > It's not clear to me what problem you are attempting to solve - could you > elucidate? I'll try! At present I have given each user a set of keys and certs, an openvpn client config, and an openvpn client. In each client config, the path to the keys is defined, for example /home/stephen/vpn/stephen.key, crt etc. I haven't yet been able (at least with Tunnelblick on Macs) to get the openvpn client to demand a passphrase, so if someone gains access to their machine, they can get onto the VPN. I am proposing that the keys live on an encrypted USB stick - one per user. The user then inserts the stick into their machine, enters the password, uses the keyfile or whatever method we choose to decrypt the filesystem, and only then fires up the VPN. My question concerned where in the filesystem the keys would appear. It may not aways be the same - using automatic mounting, the user may get /media/disk1 one day and /media/disk2 another, if something else was mounted at disk1. I don't want users to change their config file. You may assume I know how to handle this manually. You may assume my users don't. I'd like their exerience to be as simple as: 1) User inserts USB stick 2) User enters password 3) User fires up vpn client. I'm also curious to know if anyone else is doing anything similar, and can share whether it has been a success, what they might do differently. Furthermore, I am open to alternative ways to increase the security of the VPN setup. Is that clearer? Thanks! S. -- Stephen Nelson-Smith Technical Director Atalanta Systems Ltd www.atalanta-systems.com -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
On Fri, 14 Aug 2009 07:42:07 +0100, sanel...@gmail.com said: > I'm wondering how the > openvpn client knows where to find the keys? >From the configuration file (the "ca", "cert" and "key" lines). > am > considering enhancing the security by having the users keep their keys > on an encrypted USB stick. It's not clear to me what problem you are attempting to solve - could you elucidate? Keith -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
[Hampshire] OpenVPN + TrueCrypt
Morning, I've just deployed an OpenVPN solution for a client, and am considering enhancing the security by having the users keep their keys on an encrypted USB stick. Have any of you done anything like this? I'm wondering how the openvpn client knows where to find the keys? I've heard about TrueCrypt as a powerful tool - I gather that the OS mounts and uncrypts the USB drive. I suppose it mounts it in a consistent or definable place, so the client could be told to find the keys there. Any ideas or experiences? S. -- Stephen Nelson-Smith Technical Director Atalanta Systems Ltd www.atalanta-systems.com -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --