[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] "--askpass file" is evil!


  • Subject: [Openvpn-users] "--askpass file" is evil!
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Fri, 3 Dec 2004 03:13:20 +0100 (CET)

The subject was a bit of a joke, but hounestly -- It's a hugh security degrader!

There was a discussion a while ago about adding a "Save password" feature to OpenVPN GUI. I and several others objected to this as it kinda kills the benefit of a passphrase protected private key.

Recently the same feature was requested again on the OpenVPN GUI web forum by user whose administrator had given him a private key protected by a very long and hard to remember passphrase. IMHO his administrator did a bad thing in first place using such a hard passphrase as its only causing users to look for workarounds like this did.

I'm a bit a shamed, but as I'm a believer of "security should not be enforced by obscurity", I told him that he could get around it by using the --askpass option to load the passphrase from a file.

But - I don't like it! I'd hang my users if I found out they did this, and I think it is far to easy todo now, and hard to control for the
administrator.


As the key is loaded and decrypted on the client side we will never have FULL control on the server side what happends on the client side, but we could at least make it harder for users to circumvent security like this.

Two ideas:

* Do we really need the [file] parameter on the --askpass option? On servers I don't see the benefit of protecting the key in the first place if we're going to save the passphrase in an other file. On clients it was useful to be able to pass a passphrase from a GUI to OpenVPN via a file, but I only see this as a workaround. Now we have a great management interface that can be used for this.

I'm not using this feature in OpenVPN GUI and don't see any future need for it either. Is there anyone else using this feature (not to circumvent security!) ?

* Could we make the openvpn client inform the server that a passphrase has been loaded from a file, so an option on the server could be used to cause an immediate disconnection if that was the case.

Yes, this can certainly be circumvented by patching the openvpn client pretty easily for a programmer, but at least we have made it a lot harder for normal users.

--
_____________________________________________________________
Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail


____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users