[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!

  • Subject: Re: [Openvpn-users] "--askpass file" is evil!
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Fri, 3 Dec 2004 16:36:49 +0100 (CET)

On Thu, 2 Dec 2004, James Yonan wrote:

On Fri, 3 Dec 2004, Mathias Sundman wrote:

The subject was a bit of a joke, but hounestly -- It's a hugh security

There was a discussion a while ago about adding a "Save password" feature
to OpenVPN GUI. I and several others objected to this as it kinda kills
the benefit of a passphrase protected private key.

Recently the same feature was requested again on the OpenVPN GUI web
forum by user whose administrator had given him a private key protected by
a very long and hard to remember passphrase. IMHO his administrator did a
bad thing in first place using such a hard passphrase as its only causing
users to look for workarounds like this did.

I'm a bit a shamed, but as I'm a believer of "security should not be
enforced by obscurity", I told him that he could get around it by using
the --askpass option to load the passphrase from a file.

But - I don't like it! I'd hang my users if I found out they did this, and
I think it is far to easy todo now, and hard to control for the

As the key is loaded and decrypted on the client side we will never have
FULL control on the server side what happends on the client side, but we
could at least make it harder for users to circumvent security like this.

Two ideas:

* Do we really need the [file] parameter on the --askpass option? On
servers I don't see the benefit of protecting the key in the first place
if we're going to save the passphrase in an other file. On clients it was
useful to be able to pass a passphrase from a GUI to OpenVPN via a file,
but I only see this as a workaround. Now we have a great management
interface that can be used for this.

I'm not using this feature in OpenVPN GUI and don't see any future need
for it either. Is there anyone else using this feature (not to circumvent
security!) ?

* Could we make the openvpn client inform the server that a passphrase has
been loaded from a file, so an option on the server could be used to cause
an immediate disconnection if that was the case.

Yes, this can certainly be circumvented by patching the openvpn client
pretty easily for a programmer, but at least we have made it a lot harder
for normal users.

I would tend to leave the decision on whether or not to allow password saving to the admin, rather than force a policy.

How about a ./configure option such as --disable-password-save (and
corresponding #define flag for Windows build in config-win32.h)?

This flag would then disable the optional file argument to --askpass and

That could be a solution -- if we reverse it! Make the option disabled by default, so you have to use --enable-password-save on ./configure to get this feature. This would mean thay binary distributions, and typical builds by normal users will lack this feature.

Those few people who need to setup an un-attended system with a passphrase protected key can go through the trouble of building their own openvpn binary from source.

This will make it alot harder for normal users to circumvent security.

Another way of dealing with it is like we discussed to do it with the GUI, by having a PUSHable option that would cause the openvpn client to abort the connection if the passphrase had been read from a file. The very same option could then also be used by a GUI to control whether to allow a user to save the passphrase or not.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail