I administer a network for a small company. Currently, every user has an OpenVPN key. I'm rebuilding a firewall and it sort of struck me that having many keys could lead to a nefarious user stealing another's keys and then when the nefarious person leaves the company, they have a way to get in. So, instead of having this as a possible problem, why not just use 1 key for everyone. Then when there's a turnover, revoke the key and distribute a new key.
Granted, this could be done with many keys and doesn't take a long time.
I work for a company that make security software and our chief scientist (who could talk your head off on security) doesn't see a problem with a single key approach. A developer thinks that it's easier to track down who's hogging bandwidth with many keys.
Any thoughts on such a scheme?
Thanks,
Dave
One or many keys
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: One or many keys
I'd always go for many keys:
* You can always revoke a key when it's compromised
* keys should have a password associated with them
* If your users give away their private key to co-workers the key should be revoked anyways
* re-distributing a new key to all users can quickly become a hassle.
* as your techie pointed out, with many keys it is much easier to track who is doing what
but with a single key + username/password authentication (which is a hassle for your users) you could achieve most of the above as well. Still, I'd always go for multiple keys.
* You can always revoke a key when it's compromised
* keys should have a password associated with them
* If your users give away their private key to co-workers the key should be revoked anyways
* re-distributing a new key to all users can quickly become a hassle.
* as your techie pointed out, with many keys it is much easier to track who is doing what
but with a single key + username/password authentication (which is a hassle for your users) you could achieve most of the above as well. Still, I'd always go for multiple keys.