Subject: Re: Persistent tunnel
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Stephen Borrill <netbsd@precedence.co.uk>
List: netbsd-users
Date: 12/16/2006 15:34:51
On Fri, 15 Dec 2006, Steven M. Bellovin wrote:
>>> There is indeed overhead for learning how to use the certificates.
>>> Briefly -- and Google for "openssl how-to" for details -- you need
>>> to create your own CA certificate, then create client and server
>>> certificates.  These can be shared among the different services, I
>>> might add.  It's at least as annoying figuring out how to configure
>>> stunnel to use these things....
>>
>> And you'd have to learn the same for one of the mooted alternatives,
>> OpenVPN (which would be my recommend solution). You can use password
>> authentication with OpenVPN now, but it's more susceptible to attack.
>>
> Actually, for this purpose I don't think that passwords are an issue.
> Run /dev/urandom into md5, or install security/apg, or flip coins.
> However it's done, you'll end up with a long, meaningless, unguessable
> password that's just going to sit in a read-protected configuration file
> somewhere. It's not as if someone has to memorize and type it.  The
> incremental risk comes from having it on two machines instead of one,
> which is what you'd do with a private key for a certificate.

Well, that sounds similar to the deprecated shared key approach in OpenVPN 
(except you can only define one key per server config). By using certs, 
you can create multiple configurations, time-limit cert validity and 
maintain revoke list. I think a memorised password is better than one 
stored anywhere.

-- 
Stephen