On Sun, 4 Feb 2024 15:38:41 +0100, Gert Doering <g...@greenie.muc.de> wrote:
>Hi, > >On Sun, Feb 04, 2024 at 02:17:35PM +0100, Bo Berglund wrote: >> 2) But if you have actually taken the advice then making a user unable to >> connect is very simple to manage by NOT revoking any key: >> Just create a file with the Common Name of tyhat user in the ssd directory on >> the server and write the single word "disable" into that file. > >This is actually doing something subtly different. > >- revoking the key means "this key will no longer work, another key with > the same CN (and/or same username/password) *will* work" > >- blocking by CCD/disable means "this common name will no longer work, no > matter which key is used". > >The first one would be appropriate in case a device with a key on it is >lost / stolen - block this key, do not block anything else this user might >have. The second case is "get rid of all this user might have had issued >to his name". > >> So my take is: DO NOT USE revoking of keys to lock out users! > >Use the right solution for the right purpose :-) > >(One of my customers locks out users by means of an LDAP check in >client-connect... so if AD has the "this account is disabled!" bit >set, client-connect will fail, disallowing connect... but to make >this work well, async/deferred CC needs to be used, which is a bit >more complex to set up) > >gert You are right about different use cases, but I wanted to share my panic-stricken experience when trying to block an ex-employee with the key revoke method not understanding that that system relies on a constant server side refresh and that failing that ALL(!!!***) connections to the server would fail, not just the revoked one.... It took a week after revoking him until I could no longer access the site myself (I live about 6000 km away from the site and rely on OpenVPN for access). After finding out the probable cause I could use the maintenance OVPN server I had set up to allow access into the LAN and to the main OVPN server command line there so I could fix it. That back door runs on a separate RaspberryPi device intended to allow maintenance of the VMWare infrastructure running all the company servers, including the vpn server. There is only one login to that RPi-OVPN... -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
