On Sun, 04 Feb 2024 10:31:20 +0000, Peter Davis via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>Hello, >I want to revoke a user's key and I have a few questions: >1- If I revoke a key and create a new key with the same name as before, >can the previous user connect to the server? In what way is he "previous" if all you have done is revoking his key? >2- If I use the ./revoke-full "Client_Name" command to revoke a key, >do I need to add a line to the server configuration file? For example, >something like "crl-verify crl.pem". > As I have written on this topic previously in one of your numerous theads here: 1) You need to issue the users with their own login, which is NOT shared with anyone else and which uses a distictly unique Common Name for the client. You seem t not want to use this approach and then you have lost all of your abailaty to control access based on user. 2) But if you have actually taken the advice then making a user unable to connect is very simple to manage by NOT revoking any key: Just create a file with the Common Name of tyhat user in the ssd directory on the server and write the single word "disable" into that file. Now you have a means to disable individual clients from connecting and if you want to re-admit them you just remove that file or comment out the disable line in it. And now the case with the revoke not being updated in time and then shutting down the *whole*Ä openvpn server connectivity will not happen. I switched to the ccd method just because I was hit with the revoke problem and was locked out of the system as a result. *ALL* users will be disallowed if the revoke system is not doing updates properly (weekly in my case). Luckily I had a separate backdoor OVPN server available to get back in and solving the problem. So my take is: DO NOT USE revoking of keys to lock out users! -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
