Leonard Isham wrote:
On Thu, 13 Jan 2005 14:55:00 +0100, Didier Conchaudron
<did...@conchaudron.net> wrote:
Hi all,
I'm still working on a renewed openvpn service wrapper( which's heading
to allow a non-admin user to start/stop pre-defined tunnels via a tcp
socket) and I see some big troubles in a near future.
The *great* actual cryptoapi patch allow a user to access local machine
and local user certs. It's quite good right now because most of the
openvpn users are using it with admin rights or non-interactive
processing( like autostart at windows boot).
I'm worrying about those features when our aim will be to do let
non-admin users start their tunnel and authenticate themselves on the
openvpn server with their own certificate. In the actual openvpn it's
not possible, because the SYSTEM account can only access to his own
certs and the local machine certs, but not "Foo Bar User" certs.
We can ask ourselves few questions:
- is it possible to make SYSTEM access user certs?
- if not, how can we make openvpn access to those users data?
A friend of mine said an answer could be to let the GUI(or a user only
component) manage the access to such user-related data, and let openvpn
deal with this component in order to use the certs.
Of course, this problem is only windows-related.
What do you think of this problem?
Defense in depth.
The user should not have the ability to logon to a machine with
OpenVPN installed if they are not allowed to use OpenVPN, or that user
should not have access to run the GUI (maybe the OpenVPN Service
should not even be running).
These are not the questions. The ability to access to openvpn is not a
matter of openvpn, just one of the computer admin. And even if a user
have openvpn installed, a good conf must need a USER certificate or a
user/pass to allow him to connect to the vpn server. So it's not a
matter of openvpn too, but one of the openvpn admin.
The certificate is authenticating the computer.
It's the actual openvpn features. But much openvpn addicts would be very
pleased to make openvpn works like other commercial vpn, with USER
certificate.
Btw, MSDN cryptoapi docs don't talk about a way to get userspace certs
from a SYSTEM rights. I think a way to solve this issue would be to make
openvpn deals with a userspace component which one could get the
certificate and supply desired data to openvpn at tunnel startup. This
userspace component could be openvpn-gui or another program. I really
don't know if this kind of solution is technicaly possible. Only true
openvpn hackers could ;-)
Didier
