The subject was a bit of a joke, but hounestly -- It's a hugh security
There was a discussion a while ago about adding a "Save password" feature
to OpenVPN GUI. I and several others objected to this as it kinda kills
the benefit of a passphrase protected private key.
Recently the same feature was requested again on the OpenVPN GUI web
forum by user whose administrator had given him a private key protected by
a very long and hard to remember passphrase. IMHO his administrator did a
bad thing in first place using such a hard passphrase as its only causing
users to look for workarounds like this did.
I'm a bit a shamed, but as I'm a believer of "security should not be
enforced by obscurity", I told him that he could get around it by using
the --askpass option to load the passphrase from a file.
But - I don't like it! I'd hang my users if I found out they did this, and
I think it is far to easy todo now, and hard to control for the
As the key is loaded and decrypted on the client side we will never have
FULL control on the server side what happends on the client side, but we
could at least make it harder for users to circumvent security like this.
* Do we really need the [file] parameter on the --askpass option? On
servers I don't see the benefit of protecting the key in the first place
if we're going to save the passphrase in an other file. On clients it was
useful to be able to pass a passphrase from a GUI to OpenVPN via a file,
but I only see this as a workaround. Now we have a great management
interface that can be used for this.
I'm not using this feature in OpenVPN GUI and don't see any future need
for it either. Is there anyone else using this feature (not to circumvent
* Could we make the openvpn client inform the server that a passphrase has
been loaded from a file, so an option on the server could be used to cause
an immediate disconnection if that was the case.
Yes, this can certainly be circumvented by patching the openvpn client
pretty easily for a programmer, but at least we have made it a lot harder
for normal users.