[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!



Storing a passphrase in a file, especially for roadwarriors is tantamount to writing it on a sticky note. It defeats the whole point of their being a knowledge aspect to the authentication. Locking a door with two keys instead of one isn't much use if both keys are on the same ring.

Even given compile-time options, wouldn't it be possible for the client to then download and install their own copy of OpenVPN with these options enabled? Lazy/ignorant users can find ways around client restrictions like this, especially as OpenVPN still needs to be run with admin privs.

You could trust that anyone clued-up enough to be able to reinstall their own copy would understand the security issues involved, but trust isn't really a luxury most of us have.

None of this is a complaint with OpenVPN, of course, the same issues apply to anything that involves an identification system.

Terry.

James Yonan wrote:

I would tend to leave the decision on whether or not to allow password saving to the admin, rather than force a policy.


How about a ./configure option such as --disable-password-save (and
corresponding #define flag for Windows build in config-win32.h)?

This flag would then disable the optional file argument to --askpass and --auth-user-pass.

James


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users





____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users