[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!

  • Subject: Re: [Openvpn-users] "--askpass file" is evil!
  • From: "Erik Anderson" <erikba@xxxxxxxxxxxxxxxxx>
  • Date: Thu, 2 Dec 2004 18:31:34 -0800

Not trying to dispute your position, but seeing a different aspect to it...

I really hate having to enter my network password in a file to get Subversion to be able to access the network. Others have complained about this as well, and the usual official response is that the file is stored in a place that would require the local machine root or Administrator to be able to access.

I'm also thinking of the security checks that qmail makes to ensure that its various configuration files aren't (that) insecure.

If the file option is not dropped from the feature, I would recommend at a minimum that OpenVPN runs a permissions check on the file that it reads and refuses to open it if it is readable by anyone other than the user...

----- Original Message ----- From: "Mathias Sundman" <mathias@xxxxxxxxxx>
To: <Openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Thursday, December 02, 2004 6:13 PM
Subject: [Openvpn-users] "--askpass file" is evil!

The subject was a bit of a joke, but hounestly -- It's a hugh security degrader!

There was a discussion a while ago about adding a "Save password" feature to OpenVPN GUI. I and several others objected to this as it kinda kills the benefit of a passphrase protected private key.

Recently the same feature was requested again on the OpenVPN GUI web forum by user whose administrator had given him a private key protected by a very long and hard to remember passphrase. IMHO his administrator did a bad thing in first place using such a hard passphrase as its only causing users to look for workarounds like this did.

I'm a bit a shamed, but as I'm a believer of "security should not be enforced by obscurity", I told him that he could get around it by using the --askpass option to load the passphrase from a file.

But - I don't like it! I'd hang my users if I found out they did this, and I think it is far to easy todo now, and hard to control for the

As the key is loaded and decrypted on the client side we will never have FULL control on the server side what happends on the client side, but we could at least make it harder for users to circumvent security like this.

Two ideas:

* Do we really need the [file] parameter on the --askpass option? On servers I don't see the benefit of protecting the key in the first place if we're going to save the passphrase in an other file. On clients it was useful to be able to pass a passphrase from a GUI to OpenVPN via a file, but I only see this as a workaround. Now we have a great management interface that can be used for this.

I'm not using this feature in OpenVPN GUI and don't see any future need for it either. Is there anyone else using this feature (not to circumvent security!) ?

* Could we make the openvpn client inform the server that a passphrase has been loaded from a file, so an option on the server could be used to cause an immediate disconnection if that was the case.

Yes, this can certainly be circumvented by patching the openvpn client pretty easily for a programmer, but at least we have made it a lot harder for normal users.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
Openvpn-users mailing list

Openvpn-users mailing list