Hi all,
I'm still working on a renewed openvpn service wrapper( which's heading
to allow a non-admin user to start/stop pre-defined tunnels via a tcp
socket) and I see some big troubles in a near future.
The *great* actual cryptoapi patch allow a user to access local machine
and local user certs. It's quite good right now because most of the
openvpn users are using it with admin rights or non-interactive
processing( like autostart at windows boot).
I'm worrying about those features when our aim will be to do let
non-admin users start their tunnel and authenticate themselves on the
openvpn server with their own certificate. In the actual openvpn it's
not possible, because the SYSTEM account can only access to his own
certs and the local machine certs, but not "Foo Bar User" certs.
We can ask ourselves few questions:
- is it possible to make SYSTEM access user certs?
- if not, how can we make openvpn access to those users data?
A friend of mine said an answer could be to let the GUI(or a user only
component) manage the access to such user-related data, and let openvpn
deal with this component in order to use the certs.
Of course, this problem is only windows-related.
What do you think of this problem?
Thanks,
Didier
