1 |
>>> > I'm sorry, I meant can I lock down access to my web stuff so that a |
2 |
>>> > particular user can only come from a particular device (or from any |
3 |
>>> > device containing a key). |
4 |
>>> |
5 |
>> You can use apache client authentication with SSL certificates only. Of |
6 |
>> course you will need to create a self-signed CA, which you will use to create |
7 |
>> the web server public/private key pair and also sign each client's certificate |
8 |
>> and upload it along with your CA certificate to the user's browser. This |
9 |
>> explains the principle: |
10 |
>> |
11 |
>> http://wiki.cacert.org/HELP/9 |
12 |
>> |
13 |
>> |
14 |
>> Ditto with the VPN connection - should you still want to use VPN. |
15 |
> |
16 |
> |
17 |
> Let me see if I'm following. I could create a certificate and point |
18 |
> the browser to it in config and configure my web server to require the |
19 |
> certificate for HTTP basic authentication? Can I require a |
20 |
> username/password along with the certificate? Can I require the |
21 |
> certificate only for certain users? |
22 |
> |
23 |
> |
24 |
>> If a user certificate is lost of feared compromised, you revoke it with your |
25 |
>> CA and upload the CRL to the server. |
26 |
>> |
27 |
>> However, this won't do away with XSS, or other similar attack vectors if the |
28 |
>> users are not careful with their browsing habits. |
29 |
> |
30 |
> |
31 |
> Can you give me an example? |
32 |
|
33 |
|
34 |
Despite Rich's best efforts (thank you Rich! :-) ) I'm still |
35 |
considering a Gentoo laptop for this along with a Chromebook. I would |
36 |
need to be able to rsync to the laptop and I'd rather not be involved |
37 |
in the remote employee's router config. Is there an easier solution |
38 |
for that than OpenVPN? If not, perhaps OpenVPN is the way to go since |
39 |
I could use it both to provide rsync access and for authentication. |
40 |
Still I'd love to avoid it if possible. |
41 |
|
42 |
Can I have OpenVPN prompt the desktop user on the client for login credentials? |
43 |
|
44 |
- Grant |