2012-07-17 - Re: [GRASE-Hotspot] Expiry times and SSL/VPN certificate

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: 4790e2113ae3992f7da0f9ddf5ca350e82eb34d314cb8ea96d53ea232e26a7ac
Message ID: <CAESLx0KyPPChU9VXdyiGUQ+rUnQUqWwwxmkXWu9k=zs4A2hw1A@mail.gmail.com>
Reply To: <201207170508.16222.solbu@solbu.net>
UTC Datetime: 2012-07-17 23:34:23 UTC
Raw Date: Wed, 18 Jul 2012 16:34:23 +1000

Raw message

Hey Johnny.

On Tue, Jul 17, 2012 at 1:08 PM, Johnny Solbu <so***u@solbu.net> wrote:
> We have two small question regarding Expiry times and the certificate used to protect the vpn traffic.
> (We are using the latest dev version on latest Ubuntu.)
>
> Do the users expire X months after creation, or x months after inactivity?
> We would like to have a group expire X months after last logout. The reason for this request is to have users or groups of users whicn only expire when they leave the organization and haven't logged in for a specified time period.

Currently they expire X months after creation. There may or may not be
a ticket currently for making it expire after last login. Have a look
on trac.grasehotspot.org and file one if there isn't one. (Can't
remember off the top of my head atm, and I've not got time to look
into it today.). It's something I've been thinking about doing, and X
months after last activity is fairly easy to do. (There should a be a
ticket X months after first login, which is slightly different to what
you are asking).

>
> And is it possible to change the expiry time? We can't seem to fine a way to change the expiry times of users which haven't expired yet.

Not currently. The reason for this is that expiry is based on the
users group. The reason this change was made, was that the original
location I wrote the software for, it was confusing being able to
adjust expires. Feel free to file a ticket and I'll look into a new
way of overriding expires.

>
>
> We wuld alo like to change the names of the subject information in the certificate. I run a small local CA myself, so I know how the process works. However I notice that there is a built in CA which have your info as default, and we would like to have the Subject part of the certificate t match our organization. I have located where to change to make it happend.
> But I need to know what script to run to generate a new certificate with the customized values.

The CA you have found is to do with the VPN support tunnel. It has
nothing to do with SSL, and it's not something you users can use. What
it does is allow remote assistance (once the remote-assist package is
also installed) via a VPN, as well as allowing you remote access to
your hotspot devices by installing the grase-conf-openvpn package on
your laptop for example (you'll be in the same VPN).

I do need to write some more details about the grase-conf-openvpn
package, as it's in the default list for people to install, purely for
the reason that when someone asks me to help them, the right packages
are already installed. At the time I released the project to the
community, it was still only being used by people I was giving direct
support to.

You'll find that the certificate isn't actually signed on the hotspot
ether, its signed by a CA remotely, so that information is on my
server. If you are intending to give your clients VPN access to secure
their connections, then thats a different thing, and something I've
been thinking of setting up for some time as a package, but as of yet,
haven't.

>
> As a final note, we love the ability to set limits on bandwith. We have had problems with visitors from Ukraine who use Skype quite often, and clogs out upstream bandwith. Now we can finally put an end to this. Thank you. :-)=

No problem. Glad it's being used! It's used here to limit some teenage
boys who would clog the internet!

Tim




Thread