Edward Ned Harvey wrote:
> In openvpn, each individual client gets a private key or a private
> certificate. If that key or cert were acquired by anyone other than the
> intended end user, it would be possible for someone unauthorized to get in.
>
> Basically, this is a one-stage authentication, and I don't think openvpn
> supports two or more. Ideally, authentication will require both something
> physical and something known. (A preshared key or a certificate which is
> too large for a human to be expected to memorize or type it in, can be used
> as a substitute for something physical as a key.) Ideally, no user could
> even receive the password prompt unless they've already passed the physical
> authentication.
Just use a smart card, or any of the USB tokens (smart card and reader
in a single token.)
Users authenticate to the smartcard to get access to use (not read) the
private key.
PKS#11 API is supported by OpenSSL and OpenVPN.
I have played around a bit with the Aladdin iKey (now SafeNet.)
--
END OF LINE
--MCP
_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
