[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: "--askpass file" is evil!

  • Subject: [Openvpn-users] Re: "--askpass file" is evil!
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Thu, 02 Dec 2004 21:05:48 -0600

On Thu, 02 Dec 2004 18:31:34 -0800, Erik Anderson wrote:

> If the file option is not dropped from the feature, I would recommend at
> a minimum that OpenVPN runs a permissions check on the file that it
> reads and refuses to open it if it is readable by anyone other than the
> user...

OpenSSH doing that kind of check for private key files and not allowing a
user who knows what they're doing to override it has caused me substantial
pain in the past (using POSIX ACLs to control access to a private key for
logging into a shared account on a special-purpose server).

I also think that there are circumstances under which this feature could
be used appropriately -- though they involve the file being stored in a
RAM-based filesystem with very tight permissions, and mostly consist of
cases where passing in passwords via the administrative interface is an
even better solution.

Openvpn-users mailing list