<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Pass{word,phrase} Authentication for CIPE?
From: David Sainty <dsainty,AT,redhat,DOT,com>
Date: Sun, 31 Dec 2000 14:56:30 +0100
In-reply-to: <3A4E8835.BEEC4D4@trimble.co.nz>

It certainly doesn't sound stupid! :-) This is exactly the "work around"
that I was thinking of implementing myself, however I wanted to see what
other ideas people already had. It certainly achieves the given aim, and
is quite straight-forward both in its approach, and the interface
presented to the end user.

It seems a bit of a pity that there is not a "stronger relationship"
between the CIPE (or IPsec!) key system and this password auth system,
although it is also a good thing because it is a generic solution
applicable to both CIPE and IPsec, and for the client it is both platform
and vendor independent.

<thinking> We could actually wrap this up as a seperate package, that
could layer on top of CIPE (or IPsec) and Apache..........

David S..

On Sun, 31 Dec 2000, Jason Haar wrote:

> David Sainty wrote:
> > 
> > A quick question....
> > 
> > Are there any thoughts on the possibility of adding password or passphrase
> > style authentication capability to CIPE? i.e. we do not assume that both
> > CIPE end-points can be trusted. An example scenario: one end-point is a
> > notebook (with a CIPE key) that has been stolen.
> > 
> 
> >From what I've seen of other commercial VPN "Road Warrior" software, all
> such solutions are proprietary.
> 
> I want to do what you ask, and the idea I've come up is this. 
> 
> * Use CIPE (also applies to FreeSWAN/etc) with preshared keys.
> * This will ONLY get you a tunnel between the client and the VPN server.
> The VPN server has
>   default ipchains that block all forwarding/whatever - hence stopping
> it from being a VPN
>   router.
> * The client must then attach to the VPN server via a Web browser (SSL
> not required as 
>   you're now talking to it via VPN) and authenticate with a
> usercode/password CGI script. 
>   This (ahem) setuid root script would upon correct authentication set
> ipchain rules that 
>   would allow that IP address to route via the VPN server back onto your
> LAN/whatever.
> 
> The benefit of such a scheme is that you control the backend CGI script.
> It could be anything - 
> NT auth/LDAP/SecurID tokens/whatever. You could also set up timeouts so
> that such links were only valid for n hours, etc, etc, etc.
> 
> How's that sound? Stupid? :-)
> 
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive: 
><URL:http://sites.inka.de/~bigred/devel/cipe.html>
> 





<< | Thread Index | >> ]    [ << | Date Index | >> ]