Hi,
I am running an Endian Firewall which includes an OpenVPN Server. Authentication is set to PSK (username/password).
Is it possible to change a user's password with the client software?
Trying to click the "change password" option in the client GUI gets me this message:
"Your config file does not contain any "key" or "pkcs12" option."
Thanks a lot in advance...
manu26
How to change users' passwords in the client?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
manu26
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Nov 02, 2010 9:39 am
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Re: How to change users' passwords in the client?
nomanu26 wrote:Hi,
I am running an Endian Firewall which includes an OpenVPN Server. Authentication is set to PSK (username/password).
Is it possible to change a user's password with the client software?
this is because the password change option is for the passphrase on the key for your cert file. for password auth, you would need to change the password from your server.Trying to click the "change password" option in the client GUI gets me this message:
"Your config file does not contain any "key" or "pkcs12" option."
-
manu26
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Nov 02, 2010 9:39 am
Re: How to change users' passwords in the client?
That's what I thought. Thank you very much for your explanation.
I guess it's even better to set the passwords for the users and not let them choose them on their own... There's always someone who will set his password to 123456 or something else...
I guess it's even better to set the passwords for the users and not let them choose them on their own... There's always someone who will set his password to 123456 or something else...
-
dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Re: How to change users' passwords in the client?
Beware - you might think it is that easy to avoid users to change passwords. It might or might not be true. Completely depending on what we're talking about.
** SSL key password or PKCS#12 passwords
These passwords can be changed easily, at least via the openssl command line tool. Also on Windows. I thought OpenVPN GUI supported to change both these passwords. And it is not possible to force a certain password policy to these files. If you don't have any key file or pkcs12, then there's no password to change. This kind of password are only used locally and has nothing to do with a proper authentication of the client. The authentication in OpenVPN is based upon the certificate file used.
** Username/password authentication
If you're using --auth-user-pass in the client config and have enabled user/password authentication on the server, it is not possible to change this password via the OpenVPN client. This is needed to be done via a separate channel, depending on what the OpenVPN plug-in providing this authentication supports. This way it also possible to enforce a centrally defined password policy.
The highest form of security can be achieved by using both pkcs12 or SSL key passwords together with username/password authentication. And there are of course a lot of different options here as well, combining this with hardware tokens for storing certificates and keys in addition to password tokens (f.ex. RSA key rings). It all depends on how paranoid you are
** SSL key password or PKCS#12 passwords
These passwords can be changed easily, at least via the openssl command line tool. Also on Windows. I thought OpenVPN GUI supported to change both these passwords. And it is not possible to force a certain password policy to these files. If you don't have any key file or pkcs12, then there's no password to change. This kind of password are only used locally and has nothing to do with a proper authentication of the client. The authentication in OpenVPN is based upon the certificate file used.
** Username/password authentication
If you're using --auth-user-pass in the client config and have enabled user/password authentication on the server, it is not possible to change this password via the OpenVPN client. This is needed to be done via a separate channel, depending on what the OpenVPN plug-in providing this authentication supports. This way it also possible to enforce a centrally defined password policy.
The highest form of security can be achieved by using both pkcs12 or SSL key passwords together with username/password authentication. And there are of course a lot of different options here as well, combining this with hardware tokens for storing certificates and keys in addition to password tokens (f.ex. RSA key rings). It all depends on how paranoid you are