ZT3000: what do you mean about hardware access? I'm not trying to go full blown two factor, i'm merely thinking about certificates on USB keys. I know pam_usb provides support for it, but i'm just wondering if LDAP has any kind of schema or implementation of it somewhere. I hate mixing clients but our bread and butter software demands a windows environment, unless i run it as a web service from Win2k3, which shits all over my budget with just 10 users. i also have to provide for about 20, and i want room to move to 30 or more.

The boss here has almost no concept of computers in general and i'm unavailable during all of the business day because this is a second job. I'm positive openvpn will support our needs for VPN i'm just looking for a kick-ass low cost implementation of 2 factor authentication since we have alot of people in and out of the office. i already know most passwords in the shop and they all suck. making users change them or remember more difficult ones will make it worse since they will just become post-its or resets. i guess i'm trying to have my cake and eat it too. champaigne taste on a beer budget as they say.

If i could just have 2 certificates stored on a cheap usb drive i'd be happy. 1 certificate for openvpn which i know is poosible, and 1 for local access in office which i'm sketchy on.