[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!

You're assumptions are ruling out legitimate use cases. laptop? What laptop? How about connections that need to be completely automated because there isn't a user there to enter a passphrase? And the system is mounted in a rack inside a concrete room with a locked steel door? Of course you also have to pass the front desk, security cameras, and at night there are that those pesky door sensors hooked into the alarm system.

If your argument is true then ***SSH*** is broken because you can automate connections with key exchanges. All you need is to get the keys!

Yes there are perfectly valid uses for passphraseless keys. Laptops were my example for where recording of a passphrase would weaken the security in place of convinience.

My point still holds though. There is no point having a passphrase on disk if you have the key on disk. If you can secure access to the key, then there's no need to have a passphrase and you can automate the system, as you say.

In any case where manual entry of a passphrase is required, then having it recorded elsewhere would potentially break the system; especially if you have it recorded on the same medium you store your key on.

In the end, the user has to bear some responsibility for the security of their

In the end the user bears all the responsibility for the security of their identification, software should permit for as wide a range of use cases as possible; selecting the proper tools and configuration is the job of educated people.

Openvpn-users mailing list