[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!

  • Subject: Re: [Openvpn-users] "--askpass file" is evil!
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Thu, 2 Dec 2004 21:16:47 -0700 (MST)

On Fri, 3 Dec 2004, Mathias Sundman wrote:

> The subject was a bit of a joke, but hounestly -- It's a hugh security 
> degrader!
> There was a discussion a while ago about adding a "Save password" feature 
> to OpenVPN GUI. I and several others objected to this as it kinda kills 
> the benefit of a passphrase protected private key.
> Recently the same feature was requested again on the OpenVPN GUI web 
> forum by user whose administrator had given him a private key protected by 
> a very long and hard to remember passphrase. IMHO his administrator did a 
> bad thing in first place using such a hard passphrase as its only causing 
> users to look for workarounds like this did.
> I'm a bit a shamed, but as I'm a believer of "security should not be 
> enforced by obscurity", I told him that he could get around it by using 
> the --askpass option to load the passphrase from a file.
> But - I don't like it! I'd hang my users if I found out they did this, and 
> I think it is far to easy todo now, and hard to control for the
> administrator.
> As the key is loaded and decrypted on the client side we will never have 
> FULL control on the server side what happends on the client side, but we 
> could at least make it harder for users to circumvent security like this.
> Two ideas:
> * Do we really need the [file] parameter on the --askpass option? On 
> servers I don't see the benefit of protecting the key in the first place 
> if we're going to save the passphrase in an other file. On clients it was 
> useful to be able to pass a passphrase from a GUI to OpenVPN via a file, 
> but I only see this as a workaround. Now we have a great management 
> interface that can be used for this.
> I'm not using this feature in OpenVPN GUI and don't see any future need 
> for it either. Is there anyone else using this feature (not to circumvent 
> security!) ?
> * Could we make the openvpn client inform the server that a passphrase has 
> been loaded from a file, so an option on the server could be used to cause 
> an immediate disconnection if that was the case.
> Yes, this can certainly be circumvented by patching the openvpn client 
> pretty easily for a programmer, but at least we have made it a lot harder 
> for normal users.

I would tend to leave the decision on whether or not to allow password 
saving to the admin, rather than force a policy.

How about a ./configure option such as --disable-password-save (and
corresponding #define flag for Windows build in config-win32.h)?

This flag would then disable the optional file argument to --askpass and 


Openvpn-users mailing list