Hi all,
One of the best ways to protect the private key (at the side of the user), is
using a smart-card.
Unlocking access to it, is normally done through t6he management-interface,
with:
-management-hold
Start OpenVPN in a hibernating state, until a client of the management
interface explicitly starts it with the hold release command.
-management-query-passwords
Query management channel for private key password and -auth-user-pass
username/password. Only query the management channel for inputs which
ordinarily would have been queried from the console.
However, when you want to take security even a step further, one can opt for
using Pin-PAD readers, so the PIN can not be captured by key-loggers.
According to the man-page, and countless reprints of JJK (excellent!!) book, I
see:
The following directive tells OpenVPN to log in to the token before attempting
to retrieve any information from it:
pkcs11-cert-private 1
This will allow OpenVPN to use the certificate and corresponding private key in
a similar fashion to the Using a hardware token recipe.
Each hardware token and PKCS#11 module provider has different security
features, for
example, PIN Pads and biometric devices. OpenVPN can deal with a variety of
them using
the following directives:
pkcs11-protected-authentication 1
pkcs11-private-mode <mask>
The first is used primarily for keypads and biometric devices. The second
contains <mask>,
which is encoded as a hexadecimal number consisting of the following:
0 : try to determine automatically (this is the default)
1: use the sign operation on the card to access the private key
2: use the sign recover operation on the card to access the private key
4: use the decrypt operation on the card to access the private key
8: use the unwrap operation on the card to access the private key
This allows OpenVPN to access the private key when starting the SSL handshake
with the
remote VPN endpoint. Each hardware token and/or PKCS#11 module provider has its
own setting.
I assume, you need to drop the "management-query-passwords" in the config,
besides adding the "pkcs11-cert-private 1".
But is there anyone around successfully having a working PINPAD set-up?
With other Linux applications (CLI or GUI) it works, but until now not with
openvpn....
Anyone?
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet
de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u
verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband
houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are
not the addressee or if this message was sent to you by mistake, you are
requested to inform the sender and delete the message. The State accepts no
liability for damage of any kind resulting from the risks inherent in the
electronic transmission of messages.
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
