Re: Generic IPSEC vpn plugin
- From: Paul Wouters <paul xelerance com>
- To: David Woodhouse <dwmw2 infradead org>
- Cc: networkmanager-list gnome org
- Subject: Re: Generic IPSEC vpn plugin
- Date: Fri, 24 Apr 2009 16:21:53 -0400 (EDT)
On Fri, 24 Apr 2009, David Woodhouse wrote:
- interactive authentication instead of one-shot credentials
This is actually working in some cases, like openconnect. The
auth-dialog there is a standalone GUI program in its own right which
does a whole bunch of stuff including SSL certificates from file system
or TPM, and letting the user fill in arbitrary forms. Then when it's
rewarded for a successful login with an HTTP cookie from the server, it
just passes that cookie back to the nm-openconnect-service which uses it
to make the actual connection.
Can IPSec-based VPNs do something similar?
Yes. The only question is who "caches" the credentials. Currently openswan
can cache xauth passwords (from ipsec.secrets, but once we can take them
from the socket, NM can give it to us). Upon closing the connection, these
credentials could be purged.
person to have access to my VPN. Connections can be *both* per-user
in a single-user system, or system-wide on any system.
I'm guessing that you're in the minority, if you actually bother to set
up an account for them and switch to it. To be honest, I don't even know
how to do that without resorting to the command line.
With fedora, NM seems to be the default manager for all connections, so
if it becomes the defacto tool to configure site-to-site tunnels, then
this might not even be the minority case.
And I bet that even _fewer_ people actually remove the account after the
guest is done using the computer, thus actually preventing said guest
from logging into your laptop later from elsewhere, while you're on the
VPN...
A real "guest" account should automatically purge and put back a skeleton
account. I know debian/ubuntu has this feature. I am not sure if Fedora
has it.
Paul
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]