On Thursday, 15 June 2017 12:42:53 AM AEST Selva Nair wrote: > On Wed, Jun 14, 2017 at 9:32 AM, Steven Haigh <net...@crc.id.au> wrote: > > script-security 2 > > client-connect /etc/openvpn/yubikey-auth-tokens > > auth-user-pass-verify /etc/openvpn/yubikey-auth-tokens via-file > > client-cert-not-required > > username-as-common-name > > Why the last two entries? client-cert-not-required is not something one > should encourage users to do. Apart from that yubikey verification may have > to be done asynchronously (using deferred auth), else connections to all > clients will stall during each verification which may take some time.
In my setup, I use username + OTP. I don't provide a client cert to each
client.
I wonder if I could use $ENV{'username'} in client-connect instead to make
this a little more consistent. This would remove the need to 'username-as-
common-name' to be set.
How would a client cert as well as username/OTP affect this flow? Is that
expected to be verified by client-connect or another script? or is the cert
validation done elsewhere - by openvpn in this case I guess?
(apologies, mail client fat finger - I sent this reply to openvpn-users first
time around!)
--
Steven Haigh
📧 net...@crc.id.au 💻 http://www.crc.id.au
📞 +61 (3) 9001 6090 📱 0412 935 897
signature.asc
Description: This is a digitally signed message part.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
