Can clients be made to prompt for passwords when the connect

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Todd
OpenVPN User
Posts: 11
Joined: Sat Sep 14, 2013 9:09 pm

Can clients be made to prompt for passwords when the connect

Post by Todd » Wed Sep 18, 2013 5:48 pm

Hi All,

I have several server set up out there that don't require password to log into. My concern is that someone could physically break into one of the client machines and use the tunnel to break int to the servers.

Can clients be made to prompt for passwords when the connect? Can someone point me to a How To for doing this with both Windows and Linux?

Many thanks,
-T

raptorjp
OpenVPN User
Posts: 31
Joined: Sun Sep 08, 2013 8:05 pm

Re: Can clients be made to prompt for passwords when the con

Post by raptorjp » Thu Sep 19, 2013 3:47 am

When you set up your client certificates (e.g., using easy-rsa: build-key client-common-name) you are prompted to provide a challenge password. This will require the client to submit a password in addition to their certificate to connect to your openvpn server.

If you already issued client certificates, you can go to the client machines and if they are running windows (openvpn gui) they can right-click on the tray icon, select the configuration and choose "change password". You can add a password to encrypt the key file.
If you are on linux, you can use openssl > openssl rsa -in client.key -out client.key
If I recall this should ask you for a password (to either change or add).
If you have the openssl.exe binary in your program files/openvpn/bin folder you can also do this in windows.
Note that if you do this on your copy of your clients keys you would need to redistribute the encrypted keys to your clients.

A further option is to call a script on the server when a client tries to connect which will can be used to further verify the client. See "Using alternative authentication methods" in the howto
http://openvpn.net/index.php/open-sourc ... howto.html

User avatar
bezunartea
OpenVpn Newbie
Posts: 1
Joined: Wed Feb 27, 2019 2:13 pm

Re: Can clients be made to prompt for passwords when the connect

Post by bezunartea » Fri Nov 08, 2019 3:26 pm

I'm afraid @raptorjp response is not correct. According to this RFC: https://tools.ietf.org/html/rfc2985#page-16
5.4 Attribute types for use with PKCS #10 certificate requests

5.4.1 Challenge password

The challengePassword attribute type specifies a password by which an
entity may request certificate revocation. The interpretation of
challenge passwords is intended to be specified by certificate
issuers etc; no particular interpretation is required.
The challenge password thus has nothing to do with authentication but rather with revocation.

I have been mislead by this post when searching for the same thing as @Todd. Still looking...

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6182
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can clients be made to prompt for passwords when the connect

Post by TinCanTech » Fri Nov 08, 2019 4:04 pm

bezunartea wrote:
Fri Nov 08, 2019 3:26 pm
I'm afraid @raptorjp response is not correct
raptorjp's response is correct.

The RFC you quoted is 19 years old.

300000
OpenVPN Power User
Posts: 57
Joined: Tue May 01, 2012 9:30 pm

Re: Can clients be made to prompt for passwords when the connect

Post by 300000 » Sat Nov 09, 2019 8:19 am

if you want prompt password for the certificate do the tutorial but if you want prompt password and username you need this one in your config
auth-user-pass
auth-retry interact

you must setup password and username at your server , there are different between windows and linux so find out yourshelf how to do it

Post Reply