Not trying to dispute your position, but seeing a different aspect to it...
I really hate having to enter my network password in a file to get
Subversion to be able to access the network. Others have complained about
this as well, and the usual official response is that the file is stored in
a place that would require the local machine root or Administrator to be
able to access.
I'm also thinking of the security checks that qmail makes to ensure that its
various configuration files aren't (that) insecure.
If the file option is not dropped from the feature, I would recommend at a
minimum that OpenVPN runs a permissions check on the file that it reads and
refuses to open it if it is readable by anyone other than the user...
----- Original Message -----
From: "Mathias Sundman" <mathias@xxxxxxxxxx>
Sent: Thursday, December 02, 2004 6:13 PM
Subject: [Openvpn-users] "--askpass file" is evil!
The subject was a bit of a joke, but hounestly -- It's a hugh security
There was a discussion a while ago about adding a "Save password" feature
to OpenVPN GUI. I and several others objected to this as it kinda kills
the benefit of a passphrase protected private key.
Recently the same feature was requested again on the OpenVPN GUI web forum
by user whose administrator had given him a private key protected by a
very long and hard to remember passphrase. IMHO his administrator did a
bad thing in first place using such a hard passphrase as its only causing
users to look for workarounds like this did.
I'm a bit a shamed, but as I'm a believer of "security should not be
enforced by obscurity", I told him that he could get around it by using
the --askpass option to load the passphrase from a file.
But - I don't like it! I'd hang my users if I found out they did this, and
I think it is far to easy todo now, and hard to control for the
As the key is loaded and decrypted on the client side we will never have
FULL control on the server side what happends on the client side, but we
could at least make it harder for users to circumvent security like this.
* Do we really need the [file] parameter on the --askpass option? On
servers I don't see the benefit of protecting the key in the first place
if we're going to save the passphrase in an other file. On clients it was
useful to be able to pass a passphrase from a GUI to OpenVPN via a file,
but I only see this as a workaround. Now we have a great management
interface that can be used for this.
I'm not using this feature in OpenVPN GUI and don't see any future need
for it either. Is there anyone else using this feature (not to circumvent
* Could we make the openvpn client inform the server that a passphrase has
been loaded from a file, so an option on the server could be used to cause
an immediate disconnection if that was the case.
Yes, this can certainly be circumvented by patching the openvpn client
pretty easily for a programmer, but at least we have made it a lot harder
for normal users.
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Openvpn-users mailing list
Openvpn-users mailing list