>>> > I'm sorry, I meant can I lock down access to my web stuff so that a >>> > particular user can only come from a particular device (or from any >>> > device containing a key). >>> >> You can use apache client authentication with SSL certificates only. Of >> course you will need to create a self-signed CA, which you will use to create >> the web server public/private key pair and also sign each client's >> certificate >> and upload it along with your CA certificate to the user's browser. This >> explains the principle: >> >> http://wiki.cacert.org/HELP/9 >> >> >> Ditto with the VPN connection - should you still want to use VPN. > > > Let me see if I'm following. I could create a certificate and point > the browser to it in config and configure my web server to require the > certificate for HTTP basic authentication? Can I require a > username/password along with the certificate? Can I require the > certificate only for certain users? > > >> If a user certificate is lost of feared compromised, you revoke it with your >> CA and upload the CRL to the server. >> >> However, this won't do away with XSS, or other similar attack vectors if the >> users are not careful with their browsing habits. > > > Can you give me an example?
Despite Rich's best efforts (thank you Rich! :-) ) I'm still considering a Gentoo laptop for this along with a Chromebook. I would need to be able to rsync to the laptop and I'd rather not be involved in the remote employee's router config. Is there an easier solution for that than OpenVPN? If not, perhaps OpenVPN is the way to go since I could use it both to provide rsync access and for authentication. Still I'd love to avoid it if possible. Can I have OpenVPN prompt the desktop user on the client for login credentials? - Grant
