[geeks] VPN Help needed...

Jochen Kunz jkunz at unixag-kl.fh-kl.de
Fri Jan 4 03:43:41 CST 2008


On Thu, 3 Jan 2008 21:35:12 +0200
"Geoffrey S. Mendelson" <gsm at mendelson.com> wrote:

> If he did, he could just use an HTTPS server with authentication and
> have the user's  browser "remember" the username and password.
>
> The VPN or SSH solution has the attraction of using key authentication
> instead of password authentication, which does not require any user
> entry and is much more secure, especialy if the passwords have to be
> handed out to or picked by users.
You can do X.509 certifcate based client authentification with SSL/TLS /
HTTPS. You have to setup the webserver to request a client certificate
during the SSL/TLS handshake and fail if it doesn't get a valid
certificate. Apache can do this and I implemented the functionality for
thttpd. On the client side you have to feed a client certificate +
private key (and probably a CA certificate if you are using your own,
private CA) into the browser, thats all. The browser can select the
correct client certificate automatically based on the server
certificate. So this is transparent for the user after he has instaled
his certificate once. Back when I did that work on thttpd I used only
Mozilla/Linux. I never use IE, but it should be able to handle client
certificates as well.

With X.509 client certifcates you get pretty much the same security as
with SSH keys. But you have to expose the HTTPS port of the internal
server to the "cloud".
--


tsch|_,
       Jochen

Homepage: http://www.unixag-kl.fh-kl.de/~jkunz/



More information about the geeks mailing list