From what I can see, if someone can copy the certificate from a connected and authorised device, they can copy that to another device and gain access to the network.
Is there a way to prevent people from copying the authorisation of one device to another? Seems like a gaping security risk so I imagine there must be some mitigation for this?
For example with OpenVPN I have certificate + user enters user/pass + TOTP code so even if the certificate is stolen from the device, without credentials they have no access (Also the certificate is pinned to the username so it’t can’t be traded to another user).
There’s a reason the identity is only accessible by the root/administrator and the ZeroTier program by default. So yes, you should limit access to it to ensure its not copied to other machines.
All that being said, have you ever been on a physical LAN where 2 or more devices have the same IP address assigned, or the same MAC address assigned? That effectively kills all communication to the device(s) with the same IP/MAC. Things are no different there on a ZeroTier network. The devices attempting to use the same identities will not work when both are simultaneously connected to the network.
As for username/password/2fa for authorization onto a network, we have integrations with SSO providers in the works for our hosted network controller service at https://my.zerotier.com. More information will be available in the future.
Ok got it, yea I’m just thinking of scenarios where an attacker gets privileges, steals the cert and replicates it on another device then wiped it off the original device so there is only 1 device and it’s hostile.
They then have complete access to the network so I need to plan for that situation I guess. Shame we can’t have session based auth.