Well... you keep saying that you know what you are doing... So please explain me.... 1. What happens if no card is inserted at startup? 2. What happens if the card is removed? 3. What happens if the card is removed and inserted? 4. What happens if the wrong card is inserted?
Smartcards are dynamic in nature, and in order to automate this, you must really know what you are doing. Simply specifying static PIN is really not enough. So if you really know what you are doing, the management API is the place to automate the process. You can read the token name and decide which PIN to use, you can also deal with token remove and insert. I don't have a clue why you use netcat and not perl script I offered... But I am sure that if you know what you are doing you can solve this issue. Replacing GINA seems as a good idea, but this is not the right way to go... If you wish to contribute to other users, a RAS provider for OpenVPN is a solution that all Windows users wait for... RAS is the standard way to look at OpenVPN, so you "dial" during logon. Best Regards, Alon Bar-Lev. On 6/8/07, Richard Hartmann <richih.nos...@googlemail.com> wrote:
Hi Alon, > This is not wise in term of security. This depends on the use case and the requirements. If there was a way to have the user enter their PIN before logging into Windows, I would gladly use that. Furthermore, the method I described is still more secure than any solution based on certificates and keys which are stored on the hard drive. With a token, the cert/key exist exactly _once_. Both a keylogger and a trojan would be useless against my setup. The _only_ attack vector involves physical access to the token. If someone steals the token, the end user will not be able to log in and complain to IT. Thus, any stolen certificate can be disabled within days, if not hours. In the classic case, there is no way to be certain if your locally stored certificate and key along with the passphrases are in the hands of others. > So I am sorry, but I don't think this should be supported. If you look at --askpass via file, you can see how this problem can be solved: Offer it to people who pass the test of being able to compile OpenVPN. They either know what they do or they really do not deserve otherwise. > Especially when you can achieve the same via the management interface. If by management interface you mean the netcat hack I am using, this does not work as desired, yet. While I can flawlessly start my batch files on a running Windows system and connect automagically, every attempt to make this work as a Windows system service failed with a timeout on the server's side. I can only presume that the netcat trick is not working, for some reason. If you can give me any insights on how to avoid that (or how to pass the PIN as a remote connection password, as I am thinking about replacing the system service with a remote connection, which plays nicely with Windows' GINA), I would be honestly thankful to hear about this, though. Best regards, Richard ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
