[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!

  • Subject: Re: [Openvpn-users] "--askpass file" is evil!
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Fri, 3 Dec 2004 08:24:06 -0500

On Fri, 03 Dec 2004 11:44:25 +0000, Terry Dooher
<tdooher.lists@xxxxxxxxxxxxxxxxx> wrote:
> Storing a passphrase in a file, especially for roadwarriors is tantamount to
> writing it on a sticky note. It defeats the whole point of their being a
> knowledge aspect to the authentication. Locking a door with two keys instead
> of one isn't much use if both keys are on the same ring.
> Even given compile-time options, wouldn't it be possible for the client to
> then download and install their own copy of OpenVPN with these options
> enabled? Lazy/ignorant users can find ways around client restrictions like
> this, especially as OpenVPN still needs to be run with admin privs.
> You could trust that anyone clued-up enough to be able to reinstall their own
> copy would understand the security issues involved, but trust isn't really a
> luxury most of us have.
> None of this is a complaint with OpenVPN, of course, the same issues apply to
> anything that involves an identification system.

I don't know if I'd call this option evil, but I agree with this and
previous posts that this option should die a quick death.  Maybe the
next beta or RC removes the option.

Now if I remember correctly the clients don't report the client
version so you can't put in an option to reject connections based on
version of the client software.  On the other hand would this be
difficult to implement?  We all know that this could be circumvented,
but in security the goal is to make it difficult to breach the
security without grinding the business to a halt.

Leonard Isham, CISSP 
Ostendo non ostento.

Openvpn-users mailing list